Happy Second Anniversary of Project NoirVisor! In the second year of NoirVisor, the SVM-Core, designed for AMD processors, is implemented, even though the NPT-based stealth inline hook was only in the sketch phase. The stealth inline hook constructor was remastered with a flexible design through the simple detour facility.
Let’s talk about the recent achievements of previous commits prior to the second anniversary.
First, regardless of the stalemate upon NPT-based stealth inline hook, NoirVisor achieved implementing the minimum Microsoft Hv#1 hypervisor interface.
The second significant change is removing the CPUID-caching. In the first place, I wishfully thought that CPUID-caching could improve performance of CPUID-interception. However, the fact is results returned by CPUID are not always constant. Hence, it is necessary not to cache the CPUID result.
The third improvement is fixing the common mistake in most open-source hypervisors – the #DB exception upon instruction interception. In most open-source hypervisors, #DB exceptions, induced by single-stepping or DRx registers, are often failed to be delivered into guest. NoirVisor has fixed such problem, unless there are known severe security vulnerabilities in latest EWDK.
The fourth point is the plan of porting to UEFI. This is a quite popular focus of development recently. Satoshi Tanda released his research hypervisors working on UEFI to the GitHub. Alex Ionescu’s SimpleVisor achieved that in a very early year. I will follow on their steps.
What’s new in the second Anniversary Update?
NoirVisor replaces the outdated compiler from WDK7.1 with the latest EWDK10-2004. This means, NoirVisor will be fully compatible with the popular ISO C99, instead of the Microsoft C98 standard. From now on, NoirVisor guarantees to update the compiler for Windows Driver as soon as possible. Microsoft is working on C11 and C17 standard, so hopefully NoirVisor will be compatible with latest C standard in near future.
NoirVisor deprecates the LDE disassembler and adopt the Zydis as the disassembler for NoirVisor. One of the reason for this substitution is by virtue of the same license: NoirVisor and Zydis both uses the MIT license. Another cause of replacement is the prosperous development by Zyantific team. NoirVisor imports Zydis as a submodule. The specific commit will be the latest release commit.
Zero Tang has completed the host-environment setup for NoirVisor on UEFI. In near future, NoirVisor will subvert the system in UEFI boot-time stage and monitor the system. Let’s assume NoirVisor working on UEFI would be released in the year of 2021.
I will keep myself on my way to everlasting innovation and always look forward to perfection. Even if the world is cursed, even if the God retributes me, I will continue to struggle, singing hymns of hope.