Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content


Advanced x86: Virtualization with

Intel VT-x

Creator:     David Weinstein  @insitusec   

License:    Creative Commons: Attribution, Share-Alike


Class Prerequisites: Intermediate x86

Lab Requirements: Requires a Windows system with Visual C++ Express Edition, Windows DDK or WDK kernel compilation environment, and WinDbg. Requires a Windows guest OS running in VMWare Player or VMWare Server in order to do kernel debugging with WinDbg from the host OS.

Class Textbook: None

Recommended Class Duration: 2-3 days

Creator Available to Teach In-Person Classes: Yes

Author Comments:

The purpose of this course is to provide a hands on introduction to Intel hardware support for virtualization. The first part will motivate the challenges of virtualization in the absence of dedicated hardware. This is followed by a deep dive on the Intel virtualization "API" and labs to begin implementing a blue pill / hyperjacking attack made famous by researchers like Joanna Rutkowska and Dino Dai Zovi et al. Finally a discussion of virtualization detection techniques.

Hopefully after this course the student will be able to identify, understand, and implement various hypervisor concepts. As virtualization is a powerful tool, it is very important to understand its strengths and weaknesses. The author believes that hands-on experience with virtualization is practical and accessible, particularly when presented alongside other Open Security Training materials.

Class Materials

All Materials (.zip of ppt(269 slides), pdf(manuals), visual studio(code) files)
All Materials (.zip of odp(269 slides), pdf(manuals), visual studio(code) files)
All Materials (.zip of pdf(269 slides), pdf(manuals), visual studio(code) files)

Slides Part 1 (Historical perspective and fundamentals, 69 slides)
Slides Part 2 (Technical deep dive, 162 slides)
Slides Part 3 (Detection techniques/countermeasures, 38 slides)
PDFs of exact versions of Intel Manuals cited in the slides

Code templates for solutions to labs found in the course slides.
Virtdbg is a POC kernel debugger taking advantage of hardware virtualization technology. https://code.google.com/p/virtdbg/
Loadable Kernel Module for Linux that creates a /dev/vmm and is used as a real mode container for experimenting with 16-bit code.

Revision History:

09-08-2012 - Initial class content upload

If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.