{"id":13837586,"url":"https://github.com/tandasat/hvext","last_synced_at":"2025-10-07T01:19:04.395Z","repository":{"id":173232496,"uuid":"649118389","full_name":"tandasat/hvext","owner":"tandasat","description":"The Windbg extension that implements commands helpful to study Hyper-V on Intel processors.","archived":false,"fork":false,"pushed_at":"2024-05-18T21:23:11.000Z","size":126,"stargazers_count":110,"open_issues_count":0,"forks_count":13,"subscribers_count":10,"default_branch":"main","last_synced_at":"2024-05-18T22:27:08.720Z","etag":null,"topics":["hyper-v","vt-x","windbg"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tandasat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-03T20:51:13.000Z","updated_at":"2024-05-18T22:27:12.213Z","dependencies_parsed_at":"2023-07-08T08:46:47.727Z","dependency_job_id":"b666d836-c11c-4ca6-a702-502fee80ccbb","html_url":"https://github.com/tandasat/hvext","commit_stats":null,"previous_names":["tandasat/hvext"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tandasat%2Fhvext","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tandasat%2Fhvext/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tandasat%2Fhvext/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tandasat%2Fhvext/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tandasat","download_url":"https://codeload.github.com/tandasat/hvext/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225653890,"owners_count":17502939,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hyper-v","vt-x","windbg"],"created_at":"2024-08-04T15:01:15.606Z","updated_at":"2025-10-07T01:18:59.340Z","avatar_url":"https://github.com/tandasat.png","language":"JavaScript","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"readme":"# hvext\n\nThe Windbg extensions to study Hyper-V on Intel and AMD processors.\n\n- [hvext](#hvext)\n - [Setup](#setup)\n - [Usage on Intel](#usage-on-intel)\n - [Usage on AMD](#usage-on-amd)\n - [References and acknowledgement](#references-and-acknowledgement)\n\n\n## Setup\n\nAttach the debugger to Hyper-V on a target. See [Setting up KDNET over USB EEM for Bootloader and Hyper-V debugging](https://tandasat.github.io/blog/windows/2023/03/21/setting-up-kdnet-over-usb-eem-for-bootloader-and-hyper-v-debugging.html) for details.\n\nIf you encounter stability issues, consider making the target a single core with:\n```\n\u003e bcdedit /set numproc 1\n```\n\n\n## Usage on Intel\n\n1. Wait for the debugger to establish connection. Let the target run if the debugger breaks-in at initial connection. This extension does not function at this stage since processors are not in VMX root operation yet.\n\n2. Manually break-in the target Hyper-V.\n\n3. Load the script, for example:\n ```\n kd\u003e .scriptrun C:\\Users\\user\\Desktop\\hvext\\hvext_intel.js\n JavaScript script successfully loaded from 'C:\\Users\\user\\Desktop\\hvext\\hvext_intel.js'\n hvext loaded. Execute !hvext_help [command] for help.\n ```\n\n4. Execute commands.\n ```\n kd\u003e !hvext_help\n hvext_help [command] - Displays this message.\n dump_dmar [pa] - Displays status and configurations of a DMA remapping unit.\n dump_ept [verbosity] - Displays guest physical address translation managed through EPT.\n dump_hlat [verbosity] - Displays linear address translation managed through HLAT.\n dump_io - Displays contents of the IO bitmaps.\n dump_msr [verbosity] - Displays contents of the MSR bitmaps.\n dump_vmcs - Displays contents of the current VMCS.\n ept_pte [gpa] - Displays contents of EPT entries used to translated the given GPA.\n indexes [address] - Displays index values to walk paging structures for the given address.\n pte [la] - Displays contents of paging structure entries used to translated the given LA.\n\n Note: When executing some of those commands, the processor must be in VMX-root operation with an active VMCS.\n ```\n\n\n## Usage on AMD\n\n![Demo with AMD](demo_amd.gif)\n\n1. Wait for the debugger to break-in at initial connection, or manually break-in the target.\n\n2. Load the script, for example:\n ```\n kd\u003e .scriptrun C:\\Users\\user\\Desktop\\hvext\\hvext_amd.js\n JavaScript script successfully loaded from 'C:\\Users\\user\\Desktop\\hvext\\hvext_amd.js'\n ..................................................................\n bp hv+0x339d34 \".echo Breakpoint 0 hit; r rax\"\n bp hv+0x339d51 \".echo Breakpoint 1 hit; r rax\"\n bp hv+0x38f788 \".echo Breakpoint 2 hit; r rax\"\n bp hv+0x38f97c \".echo Breakpoint 3 hit; r rax\"\n bp hv+0x3902f9 \".echo Breakpoint 4 hit; r rax\"\n\n To find the address of a VMCB, break on VMRUN using the above bp commands.\n hvext loaded. Execute !hvext_help [command] for the help message.\n ```\n\n3. Set breakpoints as instructed and let the target run until it hits one of the breakpoints.\n ```\n kd\u003e bp hv+0x339d34 \".echo Breakpoint 0 hit; r rax\"\n kd\u003e bp hv+0x339d51 \".echo Breakpoint 1 hit; r rax\"\n kd\u003e bp hv+0x38f788 \".echo Breakpoint 2 hit; r rax\"\n kd\u003e bp hv+0x38f97c \".echo Breakpoint 3 hit; r rax\"\n kd\u003e bp hv+0x3902f9 \".echo Breakpoint 4 hit; r rax\"\n kd\u003e g\n ```\n\n4. Once the breakpoint is hit, confirm the address of VMCB (in this case, 0x102261000).\n ```\n Breakpoint 0 hit\n rax=0000000102261000\n hv+0x339d34:\n fffff876`66f39d34 0f01da vmload rax\n ```\n\n5. Execute commands.\n ```\n kd\u003e !hvext_help\n hvext_help [command] - Displays this message.\n dump_io \u003cpa\u003e [,verbosity] - Displays contents of the IO permissions map.\n dump_msr \u003cpa\u003e [,verbosity] - Displays contents of the MSR permissions map.\n dump_npt \u003cncr3\u003e [,verbosity] - Displays guest physical address translation managed through NPT.\n dump_vmcb \u003cpa\u003e [,verbosity] - Displays contents of the VMCB.\n indexes [address] - Displays index values to walk paging structures for the given address.\n pte [address [,pml4]] - Displays contents of paging structure entries used to translated the given address.\n ```\n\n ```\n kd\u003e !dump_vmcb 0x102261000\n VMCB @ 0x102261000\n +0x000: 0x0 -- Intercept reads of CR0-15\n +0x002: 0x0 -- Intercept writes of CR0-15\n +0x004: 0x0 -- Intercept writes of DR0-15\n ...\n ```\n\n\n## References and acknowledgement\n- [@ergot86's implementation](https://github.com/ergot86/crap/blob/main/hyperv_stuff.js) as the base of this script.\n- [@0vercl0k's amazing introduction](https://doar-e.github.io/blog/2017/12/01/debugger-data-model/) to Windbg Preview, including authoring extensions.\n- [@gerhart_x's IDA Python scripts](https://github.com/gerhart01/Hyper-V-scripts/blob/master/display-vmcs.py) for IDA Pro users (instead of Windbg).\n- [@KelvinMsft](https://x.com/KelvinMsft) for answering a few questions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftandasat%2Fhvext","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftandasat%2Fhvext","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftandasat%2Fhvext/lists"}