NoirVisor

NoirVisor - The Grimoire Hypervisor solution for AMD64 Processors.

<p align=center> <img src="https://img.shields.io/github/license/Zero-Tang/NoirVisor?color=blue&style=flat"> <a href="https://discord.gg/5cKn5FdK6U"> <img src="https://img.shields.io/discord/796222913774354432?color=red&label=Discord&style=flat"> </a> <img src="https://img.shields.io/github/stars/Zero-Tang/NoirVisor?color=orange"> <img src="https://img.shields.io/github/forks/Zero-Tang/NoirVisor?color=silver"> <a href="https://qm.qq.com/cgi-bin/qm/qr?k=ly7ROfTm6VD9pBuw6zI85TuYaWCu3li8&jump_from=webapi"> <img border="0" src="https://pub.idqqimg.com/wpa/images/group.png" alt="NoirVisor虚拟化交流群" title="769616136"> </a> </p>

Tips: if the link does not work, try to hover the shield icon and see text.

Introduction

NoirVisor is a hardware-accelerated hypervisor (a.k.a VMM, Virtual Machine Monitor) with support to complex functions and purposes. It is designed to support processors based on x86 architecture with hardware-accelerated virtualization feature. For example, Intel processors supporting Intel VT-x or AMD processors supporting AMD-V meet the requirement. By design, NoirVisor determines the processor manufacturer and selects the function core.

Namesake: NoirVisor is named after the Grimoire Noir in NieR:Gestalt/Replicant.

Processor Requirement

Intel Processors based on Intel 64 and IA-32 Architecture, with support to Intel VT-x. Intel EPT is prefered, but not required.
AMD Processors based on AMD64 Architecture, with support to AMD-V. Nested Paging is prefered, but not required.
Other processors based on x86 architecture may be supported in future.
Currently, it is discovered that x86 processors produced by VIA, Zhaoxin and Hygon supports Hardware-Accelerated Virtualization Technology. In summary, certain facts are observed that:

• Processors produced by Intel Corporation may support Intel VT-x.
• Processors produced by Advanced Micro Devices Inc. may support AMD-V.
• Processors produced by VIA Technologies Inc. may support Intel VT-x.
• Processors produced by Shanghai Zhaoxin Semiconductor Co, Ltd. may support Intel VT-x.
• Processors produced by Tianjin Haiguang Advanced Technology Investment Co, Ltd. may support AMD-V.

Note that early Zhaoxin and VIA use Centaur as vendor.

Nested Virtualization

Algorithm regarding the Nested Virtualization was written in the readme files in both VT-Core and SVM-Core directories.
For Nested Intel VT-x Algorithm, visit here.
For Nested AMD-V Algorithm, visit here.

Nested AMD-V is now in debugging stage. NoirVisor currently can run a modified version of SimpleSvm as nested hypervisor where NPT is turned off.
Nested Intel VT-x is not supported yet.

Announcement to all contributors

NoirVisor is coded in the C programming language and the assembly since it is procedure-oriented designed.
Contributing Guidelines are available in repository. For details, see the markdown file in the root directory of repository.
DO NOT PROVIDE CODES WITH C++ WHICH INVOLVES THE NoirVisor Core IN YOUR PULL-REQUEST!

Rust

A new branch rust-dev is already available at GitHub.
When you switch branches, make sure to execute cleanup.bat script to clean up the compiler outputs.

Build

To build NoirVisor, using batch is essential.
Note that you should execute the build_prep.bat to make directories for first-time compilation.
Once NoirVisor is updated, it is recommended to execute cleanup.bat script before building.

If you use terminal, you may add /s option in order to bypass the pause command. For example:

cd build
.\compchk_win7x64.bat /s

Windows Driver

To build a kernel-mode driver on Windows, you should download and mount Enterprise Windows Driver Kit 11 (Visual Studio Build Tools 16.11.10 and 17.8.6) ISO file to T: and V: drives. I recommend using WinCDEmu to mount the ISO on system startup if you are looking for a free virtual ISO Drive.
Then run the provided batch file to build it. You might have to mount the ISO file manually everytime on your machine startup in that I failed to find a script that mount an ISO to a specific drive letter. If you use WinCDEmu, however, you may order the system to mount EWDK10 and specify its drive letter during startup.
You may download the EWDK11 (with VS Build Tools 16.11.10) from Microsoft: https://docs.microsoft.com/en-us/legal/windows/hardware/enterprise-wdk-license-2019-New
You may download the EWDK11 (with VS Build Tools 17.8.6) from Microsoft: https://docs.microsoft.com/en-us/legal/windows/hardware/enterprise-wdk-license-2022
Make sure you have downloaded the correct version. NoirVisor would continue updating. If not using correct version, you might fail to compile the latest version of NoirVisor.
Note that EWDK11 with VS Build Tools newer than 16 has removed import library for Windows 7.
Presets for Free/Release build are available. Please note that the compiled binary under Free build does not come along with a digital signature. You might have to sign it yourself.

EFI Application and Runtime Driver

Due to different EFI firmware implementation, most modern computer firmware does not support booting an EFI Runtime Driver directly. Therefore, it is necessary to build a separate EFI Application. In this way, modern computer firmware will boot, and the application can load runtime driver into memory.
To build a EFI Runtime Driver and Application, you should NASM and TianoCore EDK II. To install TianoCore EDK II, you may download latest release source code and extract to path C:\UefiDKII. Also, you should mount EWDK11 with VS Build Tools 17.8.6 to V: drive.
You may download NASM from its official website: https://www.nasm.us/pub/nasm/stable/win64/. Make sure you have added the directory to the PATH environment variable.
You may download EDK II from GitHub: https://github.com/tianocore/edk2/releases. Download the source code.
NoirVisor also use EDK II Libraries. However, they should be pre-compiled. Visit EDK-II-Library on GitHub in order to build them.

Disassembler

Project NoirVisor chooses Zydis as NoirVisor's disassembler engine. You should pre-compile Zydis as a static library. Visit the documents for disassembler for further details.
In that Zydis is included as a submodule, and because Zydis itself has a submodule, you must clone this repository recursively.

Python script

Since January 2024, NoirVisor can be built using Python script. The minimum version required for building NoirVisor is 3.9 by virtue of the typing syntax. In other words, building NoirVisor through Python script in Windows 7 is not supported. There is no pip package requirements for compilation.
First of all, in the root directory of this repository, execute the following command to compile the third-party libraries:

make /target disassembler /j
make /target snprintf /j

The first command will build the zydis disassembler engine.
The second command will build the snprintf library.

Then you can compile NoirVisor itself:

make /j

Python-based compilation is parallel. It will achieve a great performance in building NoirVisor.

Current implementation only supports building NoirVisor as Windows Driver.

See documentation for more information using python script to build NoirVisor.

Test

Windows Driver

There is a .NET Framework 4.0 based GUI loader available on GitHub now: https://github.com/Zero-Tang/NoirVisorLoader
If you are using operating systems older than Windows 8, you are supposed to manually install .NET Framework 4.0 or higher.
If you use the digital signature provided in NoirVisor's repository, then you should enable the test-signing on your machine.
You may enable Stealth SSDT Hook by setting up registry. Please note that since hooking is a very dangerous behavior, NoirVisor disables them on default.
Caveat: The stealth hook functionalities are deprecated in that I'm tired of doing this. They are disabled by default. Future updates of NoirVisor will rarely address issues from them. If you encountered issues from stealth hook features, expect no fixes will be applied. This project has no interest in fixing them.

reg add "HKLM\SOFTWARE\Zero-Tang\NoirVisor" /v "StealthMsrHook" /t REG_DWORD /d 1 /f

You may enable Stealth Inline Hook by setting up registry:

reg add "HKLM\SOFTWARE\Zero-Tang\NoirVisor" /v "StealthInlineHook" /t REG_DWORD /d 1 /f

You may set the values to 0, or remove the value key, in order to disable these features again.

You may load NoirVisor by using command-line or batch script:

reg add "HKLM\SOFTWARE\Zero-Tang\NoirVisor" /v "SubvertOnDriverLoad" /t REG_DWORD /d 1 /f
sc create NoirVisor type= kernel binPath= <Path to NoirVisor driver file>
sc start NoirVisor

You may unload NoirVisor by using command-line or batch script as well:

sc stop NoirVisor
sc delete NoirVisor
reg add "HKLM\SOFTWARE\Zero-Tang\NoirVisor" /v "SubvertOnDriverLoad" /t REG_DWORD /d 0 /f

The SubvertOnDriverLoad registry key value specifies whether the driver should subvert the system or not on the entry. This key value conflicts with NoirVisor Loader. You must delete or disable this key value in order to use NoirVisor Loader.

EFI Application and Runtime Driver

There are two methods to test NoirVisor.

Running on a physical machine

This method can also be used on VMware.
Use a U