Secure intercepts
There are cases where the Secure Kernel may need to prevent the NT kernel, which executes at a lower VTL, from accessing certain critical system resources. For example, writes to some processor’s MSRs could potentially be used to mount an attack that would disable the hypervisor or subvert some of its protections. VSM provides a mechanism to allow a higher VTL to lock down critical system resources and prevent access to them by lower VTLs. The mechanism is called secure intercepts.
Secure intercepts are implemented in the Secure Kernel by registering a synthetic interrupt, which
is provided by the hypervisor (remapped in the Secure Kernel to vector 0xF0). The hypervisor, when
certain events cause a VMEXIT, injects a synthetic interrupt to the higher VTL on the virtual processor
that triggered the intercept. At the time of this writing, the Secure Kernel registers with the hypervisor for the following types of intercepted events:
* Write to some vital processor’s MSRs (Star, Lstar, Cstar, Efer, Sysenter, Ia32Misc, and APIC base
on AMD64 architectures) and special registers (GDT, IDT, LDT)
* Write to certain control registers (CR0, CR4, and XCR0)
* Write to some I/O ports (ports 0xCF8 and 0xCFC are good examples; the intercept manages the
reconfiguration of PCI devices)
* Invalid access to protected guest physical memory
When VTL 0 software causes an intercept that will be raised in VTL 1, the Secure Kernel needs to
recognize the intercept type from its interrupt service routine. For this purpose, the Secure Kernel usesthe message queue allocated by the SynIC for the “Intercept” synthetic interrupt source (see the “Inter-partition communication” section previously in this section for more details about the SynIC and SINT).
The Secure Kernel is able to discover and map the physical memory page by checking the SIMP syn-
thetic MSR, which is virtualized by the hypervisor. The mapping of the physical page is executed at the
Secure Kernel initialization time in VTL 1. The Secure Kernel’s startup is described later in this chapter.
Intercepts are used extensively by HyperGuard with the goal to protect sensitive parts of the normal
NT kernel. If a malicious rootkit installed in the NT kernel tries to modify the system by writing a par-
ticular value to a protected register (for example to the syscall handlers, CSTAR and LSTAR, or model-
specific registers), the Secure Kernel intercept handler (ShvlpInterceptHandler) filters the new register’s value, and, if it discovers that the value is not acceptable, it injects a General Protection Fault (GPF) nonmaskable exception to the NT kernel in VLT 0. This causes an immediate bugcheck resulting in the system being stopped. If the value is acceptable, the Secure Kernel writes the new value of the register using the hypervisor through the HvSetVpRegisters hypercall (in this case, the Secure Kernel is proxying the access to the register).
CHAPTER 9 Virtualization technologies, Windows Internals 7th Edition Part 2. Page 348 -349
Cause
GPFs can occur when one program in memory attempts to access another area of memory assigned to a different program.
Resolving The Problem
Something running within the Windows environment has made a call to a location in memory that it did not have access to, potentially overwriting and corrupting other program code in that area of memory. When Windows detects this, it closes down the offending program and announces that a GPF has occurred.
Another situation where a GPF may occur involves the passing of parameters between applications and the Windows environment. Invalid parameters affect the performance of Windows and its applications by forcing an invalid instruction. This is usually the result of an applications internal program code incorrectly passing specific data that could not be correctly interpreted for Windows or another Windows application. The result is often a GPF.
Basic troubleshooting tips are to check the system resources, the settings for Virtual Memory and disc drive space. Check if an anti-virus program is loaded in the memory because this sometimes interferes with a web browser's operation and can cause crashes.
Overclocking can cause this as well because corruption of data occurs. If this happens at stock clocks then the issue is a hardware fault.