Aidan Khoury’s Part 2 of the revers.engineering PatchGuard series — two LSTAR-focused checks. KiErrata420Present briefly overwrites LSTAR with a one-byte RET stub and trips naive hypervisors that block WRMSR(LSTAR); the fix is a transparent MSR shadow. KiErrata1337Present is Khoury’s own derived detection that zeros IA32_KERNEL_GS_BASE, forces a #PF inside the syscall handler, hooks #PF through a temporary IDT, and uses one XCHG against the trap frame to read out the real syscall handler address. Full PoC at ajkhoury/Errata1337.
PatchGuard’s Detection of Hypervisor-Based Introspection: KiErrata704Present, Skx55, and 361 [P1]
Nick Peterson’s revers.engineering deep-dive on three PatchGuard routines disguised as CPU-errata checks but actually built to catch hypervisor introspection — KiErrata704Present (reads real LSTAR via FMASK + TF + SYSCALL #DB side-channel), KiErrataSkx55Present (CVE-2018-8897 POP SS / MOV SS revival), and KiErrata361Present (ICEBP / pending-BS VMCS trap from CVE-2018-1087). Mandatory reading for anyone shipping a security or anti-cheat VMM on Windows.
89 vulnerabilities in XAPI / Citrix XenServer
Shittrix discloses 89 XAPI/Citrix XenServer flaws caused by unvalidated metadata fields, enabling low-privileged users to mount host disks, inject storage commands, redirect storage, and compromise pools.
Hypervisor-Based Defense (Windows Kernel Protection)
The article explains how a defensive hypervisor can protect Windows systems from kernel attacks such as BYOVD by monitoring memory and enforcing protections below the OS using Intel VT-x and EPT virtualization features.

![PatchGuard’s Detection of Hypervisor-Based Introspection: KiErrata420Present and Errata1337 [P2]](https://core-jmp.org/wp-content/uploads/2026/06/Hyper-V-900x506.png)

