PatchGuard’s Detection of Hypervisor-Based Introspection: KiErrata420Present and Errata1337 [P2]

PatchGuard’s Detection of Hypervisor-Based Introspection: KiErrata420Present and Errata1337 [P2]

Aidan Khoury’s Part 2 of the revers.engineering PatchGuard series — two LSTAR-focused checks. KiErrata420Present briefly overwrites LSTAR with a one-byte RET stub and trips naive hypervisors that block WRMSR(LSTAR); the fix is a transparent MSR shadow. KiErrata1337Present is Khoury’s own derived detection that zeros IA32_KERNEL_GS_BASE, forces a #PF inside the syscall handler, hooks #PF through a temporary IDT, and uses one XCHG against the trap frame to read out the real syscall handler address. Full PoC at ajkhoury/Errata1337.

PatchGuard’s Detection of Hypervisor-Based Introspection: KiErrata420Present and Errata1337 [P2]

PatchGuard’s Detection of Hypervisor-Based Introspection: KiErrata704Present, Skx55, and 361 [P1]

Nick Peterson’s revers.engineering deep-dive on three PatchGuard routines disguised as CPU-errata checks but actually built to catch hypervisor introspection — KiErrata704Present (reads real LSTAR via FMASK + TF + SYSCALL #DB side-channel), KiErrataSkx55Present (CVE-2018-8897 POP SS / MOV SS revival), and KiErrata361Present (ICEBP / pending-BS VMCS trap from CVE-2018-1087). Mandatory reading for anyone shipping a security or anti-cheat VMM on Windows.