this presentation is for informational purposes only
TRANSCRIPT
![Page 1: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/1.jpg)
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
![Page 2: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/2.jpg)
![Page 3: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/3.jpg)
![Page 4: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/4.jpg)
![Page 5: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/5.jpg)
Hypervisor
“Host OS” VM 1 VM … VM N
Root Partition Partition 1 Partition … Partition n
Manages physical address space of
partitions (via EPT)
Handles intercepts (i.e. HyperCall,
in/out instructions, CPUID
instruction, EPT page fault, etc.)
Interrupt delivery to guests
Manages virtualization specific
hardware configuration
Type 1 (bare metal) hypervisor
Most Hyper-V attack surface is not in the hypervisor
Hypervisor EPT enforces physical memory isolation between partitions
![Page 6: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/6.jpg)
![Page 7: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/7.jpg)
Hypervisor
“Host OS” VM 1 VM … VM N
Root Partition Partition 1 Partition … Partition n
Manages other VM’s
(create/destroy/etc.)
Access to the physical memory of
other partitions
Access to all hardware
Provides services such as device
emulation, para-virtualized
networking/storage, etc.
Most Hyper-V attack surface is in the root partition
Root partition can access other partitions’ physical memory
![Page 8: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/8.jpg)
Hypervisor
“Host OS” VM 1 VM … VM N
Root Partition Partition 1 Partition … Partition n
No access to other partitions
physical memory
No access to hardware
Access to limited set of HyperCalls
(example: faster TLB flush)
No ability to communicate with
partitions other than the root
There is no direct guest-to-guest attack surface
Communicates with root partition & hypervisor using well defined interfaces
![Page 9: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/9.jpg)
![Page 10: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/10.jpg)
Hyper-V Architecture: Root Partition Services
![Page 11: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/11.jpg)
Hyper-V Architecture: Root Partition
• Virtual Devices
• Emulators
• Non-emulated devices
• vSMB Server (containers)
• Plan9FS (containers)
• Integration Components
Virtualization
Infrastructure
Driver
VID.sys
Para-
virtualized
Networking
VMSwitch.sys
Para-
virtualized
Storage
StorVSP.sys
Para-
virtualized PCI
vPCI.sys
VMBUS
VMBusR.sys
VM Worker Process - VMWP.exe
Responsible for managing the
state of all the VM’s. No direct
guest attack surface.
VM Mgmt Service – VMMS.exe
Kernel-
Hypervisor
Interface
WinHV.sys
Responsible for VM
management and container
management.
VM Compute – VMCompute.exe
Virtualization
Infrastructure
Driver
VID.sys
Para-
virtualized
Networking
VMSwitch.sys
Para-
virtualized
Storage
StorVSP.sys
Para-
virtualized PCI
vPCI.sys
VMBUS
VMBusR.sys
Kern
el-M
od
eU
ser-M
od
e
VM Worker Process - VMWP.exeVM Mgmt Service – VMMS.exe
Kernel-
Hypervisor
Interface
WinHVr.sys
VM Compute – VMCompute.exe
A minimal process. Used as a
separate virtual address space
to make certain mappings.
VM Mem – vmmem.exe
![Page 12: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/12.jpg)
![Page 13: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/13.jpg)
Hypercalls
• “System calls” of the hypervisor
• Guest accessible hypercalls are documented as part of the Hyper-V TLFS
• Some Hypercalls pass arguments via registers, others use physical pages (GPA in register)
Overlay Pages• A way for the hypervisor to forcibly map a physical page in to a partition
• Example: Hypercall code page
Faults• Triple fault, EPT page faults (i.e. permission faults, GPA not mapped, etc.)
• This is how MMIO can be virtualized by VDEV’s (fault on access to virtual MMIO range)
Instruction
Emulation• Attempt to execute instructions such as CPUID, RDTSC, RDPMC, INVLPG, IN, OUT, etc.
Register Access • Attempt to read/write control registers, MSR’s
![Page 14: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/14.jpg)
Extended
Hypercalls• Hypercalls that the hypervisor forwards directly to the VID
VMBUS• High-speed communication channel accessed through via Kernel Mode Client Library
(KMCL) abstraction layer
Aperture• Host can map guest physical memory and interact with it
• Rarely used
Intercept Handling
• Hypervisor forwards some intercepts it receives to the host for processing
• IO port read/write
• EPT faults: is the memory paged out?, is that memory a virtual MMIO page?
• Etc.
![Page 15: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/15.jpg)
IO Ports
• User-mode components can register for notifications when particular IO ports are
written/read
• Used to emulate hardware
MMIO
• Components can register GPA ranges as MMIO ranges, receive notifications when the
ranges are written/read
• Used to emulate hardware
VMBUS • High-speed communication channel accessed through named pipes or sockets
Aperture• Map guest physical addresses into the virtual address space of VMWP
• Need to be careful to avoid shared-memory issues such as double-fetch
Read/Write
Notifications
• Triggered when a specified GPA is read/written, EIP is not advanced (no emulation)
• Used to track when pages are dirtied while live migrating (as an example)
![Page 16: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/16.jpg)
0x1000
…
0x8F000
0x90000
0x91000
![Page 17: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/17.jpg)
![Page 18: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/18.jpg)
Called to process each packet received from the guest
Calls to this function are serialized per-channel
Buffer contains guest-controlled data, NOT in shared memory
Called after a group of packets has been delivered
![Page 19: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/19.jpg)
![Page 20: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/20.jpg)
RangeBase,
RangeOffset,
NumberOfBytes,
ReadBuffer[]
RangeBase,
RangeOffset,
NumberOfBytes,
WriteBuffer[]
IoAddress,
AccessSize,
ReadData
IoAddress,
AccessSize,
WriteData
![Page 21: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/21.jpg)
![Page 22: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/22.jpg)
https://blogs.technet.microsoft.com/virtualization/2018/04/25/hyper-v-symbols-for-debugging/
![Page 23: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/23.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 24: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/24.jpg)
Hyper-V Architecture: Root Partition
• Virtual Devices
• Emulators
• Non-emulated devices
• vSMB Server (containers)
• Plan9FS (containers)
• Integration Components
Virtualization
Infrastructure
Driver
VID.sys
Para-
virtualized
Networking
VMSwitch.sys
Para-
virtualized
Storage
StorVSP.sys
Para-
virtualized PCI
vPCI.sys
VMBUS
VMBusR.sys
VM Worker Process - VMWP.exe
Responsible for managing the
state of all the VM’s. No direct
guest attack surface.
VM Mgmt Service – VMMS.exe
Kernel-
Hypervisor
Interface
WinHV.sys
Responsible for VM
management and container
management.
VM Compute – VMCompute.exe
Virtualization
Infrastructure
Driver
VID.sys
Para-
virtualized
Networking
VMSwitch.sys
Para-
virtualized
Storage
StorVSP.sys
Para-
virtualized PCI
vPCI.sys
VMBUS
VMBusR.sys
Kern
el-M
od
eU
ser-M
od
e
VM Worker Process - VMWP.exeVM Mgmt Service – VMMS.exe
Kernel-
Hypervisor
Interface
WinHVr.sys
VM Compute – VMCompute.exe
A minimal process. Used as a
separate virtual address space
to make certain mappings.
VM Mem – vmmem.exe
![Page 25: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/25.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 26: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/26.jpg)
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
![Page 27: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/27.jpg)
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
Patch the Linux
drivers in
rndis_filter.c
Run ifconfig
RNDIS packet sent
to the VMBUS
VmsMpCommonPvtSetNetwork
Address with a long
unterminated string
Cause an error to log
the long string
![Page 28: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/28.jpg)
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
![Page 29: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/29.jpg)
Other VMSwitch issues
https://bugs.chromium.org/p/project-zero/issues/detail?id=688
https://bugs.chromium.org/p/project-zero/issues/detail?id=689
https://bugs.chromium.org/p/project-zero/issues/detail?id=690
![Page 30: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/30.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 31: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/31.jpg)
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
![Page 32: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/32.jpg)
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
VpciMsgCreateInterruptMessage = 0x42490014
VpciMsgQueryProtocolVersion
![Page 33: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/33.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 34: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/34.jpg)
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
![Page 35: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/35.jpg)
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
• Leak 0x86 bytes of heap memory to the guest
• Variant for a stack object in VideoSynthDevice::SendNextMessageInternal
Hyper-V Bug Bounty Today: $15,000
Double your gain with another $15,000
sizeof(SYNTHVID_SUPPORTED_RES)
Only 9 bytes initialized
![Page 36: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/36.jpg)
Change the type, size, content and start fuzzing!
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
![Page 37: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/37.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 38: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/38.jpg)
CVE-2018-0888 – Information disclosure during MMIO emulation
void BatteryEmulator::NotifyMmioRead(_In_ UINT64 RangeBase,_In_ UINT64 RangeOffset,_In_ UINT64 NumberOfBytes,_Out_writes_bytes_(NumberOfBytes) BYTE ReadBuffer[] ) noexcept
{if (NumberOfBytes != 4)return;
…Hyper-V Bug Bounty Today: $15,000
![Page 39: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/39.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 40: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/40.jpg)
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
DriveStateBufferOffset was not properly set
![Page 41: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/41.jpg)
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
$150,000
![Page 42: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/42.jpg)
![Page 43: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/43.jpg)
HARDENING HYPER-V THROUGH OFFENSIVE SECURITY RESEARCH
![Page 44: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/44.jpg)
![Page 45: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/45.jpg)
http://www.alex-ionescu.com/syscan2015.pdf
www.andrea-allievi.com/files/Recon_2017_Montreal_HyperV_public.pptx
![Page 46: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/46.jpg)
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs
Component Location
VMBUS drivers/hv/vmbus_drv.c
Synthetic IDE/SCSI drivers/scsi/storvsc_drv.c
Synthetic NIC drivers/net/hyperv
PCI drivers/pci/host/pci-hyperv.c
Dynamic Memory drivers/hv/hv_balloon.c
Synthetic Video drivers/video/fbdev/hyperv_fb.c
HID drivers/hid/hid-hyperv.c
Misc. (IC’s, etc.) drivers/hv
![Page 47: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/47.jpg)
![Page 48: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/48.jpg)
![Page 49: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/49.jpg)
Called to process each packet received from the guest
Calls to this function are serialized per-channel
Buffer contains guest-controlled data, NOT in shared memory
Called after a group of packets has been delivered if there will be a pause in future packet delivery
![Page 50: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/50.jpg)
![Page 51: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/51.jpg)
![Page 52: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/52.jpg)
![Page 53: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/53.jpg)
![Page 54: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/54.jpg)
![Page 55: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/55.jpg)
![Page 56: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/56.jpg)
![Page 57: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/57.jpg)
RangeBase,
RangeOffset,
NumberOfBytes,
ReadBuffer[]
RangeBase,
RangeOffset,
NumberOfBytes,
WriteBuffer[]
![Page 58: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/58.jpg)
IoAddress,
AccessSize,
ReadData
IoAddress,
AccessSize,
WriteData
HRESULT RegisterIoPortHandler([in] VID_IO_PORT_ADDRESS PortRangeBegin,[in] VID_IO_PORT_ADDRESS PortRangeEnd,[in] IO_PORT_HANDLER_FLAGS Flags,[in] IVndIoPortHandler* Handler,[in] BOOL IsEmulationHelpful,[in, unique] IVndHandlerCallbackBatch* CallbackBatch,[out] IVndRegisteredNotifier** Notifier );
![Page 59: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/59.jpg)
![Page 60: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/60.jpg)
![Page 61: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/61.jpg)
![Page 62: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/62.jpg)
![Page 63: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/63.jpg)
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
![Page 64: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/64.jpg)
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Stack Object
![Page 65: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/65.jpg)
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
![Page 66: This presentation is for informational purposes only](https://reader033.vdocuments.net/reader033/viewer/2022051804/6281ae0f0d4f75549b2fb3c7/html5/thumbnails/66.jpg)
0:001> kcCall Sitevmchipset!BatteryEmulator::NotifyMmioReadvmwp!VmbComMmioHandlerAdapter::ReadCallbackvmwp!VmbCallback::NotifyMmioReadvmwp!VND_HANDLER_CONTEXT::NotifyMmioReadvmwp!EmulatorVp::DispatchMmioOperationvmwp!EmulatorVp::FinishReadMemoryOperationvmwp!EmulatorVp::FinishReadModRmOperationvmwp!EmulatorVp::ExecuteGEInstructionvmwp!EmulatorVp::ExecuteInstructionsvmwp!EmulatorVp::ActuallyAttemptEmulationvmwp!EmulatorVp::TryEmulationvmwp!VndIce::HandleExecutionRequestvmwp!VndCompletionHandler::HandleVndCallbackvmwp!VndCompletionThread::RunSelfvmwp!<lambda_0d2132334fa52e9e02abe1e6c85d8104>::operator()vmwp!Vml::VmThread::Runvmwp!Vml::VmThread::OnRunThreaducrtbase!invoke_thread_procedureucrtbase!thread_start<unsigned int (__cdecl*)(void * __ptr64)>KERNEL32!BaseThreadInitThunkntdll!RtlUserThreadStart
CVE-2018-0888 – Information disclosure during MMIO emulation