Bitdefender Napoca Hypervisor
The Bitdefender Napoca project is a lightweight type-1 hypervisor that offers a solid foundation for building advanced security-focused functionality by providing thorough control over the CPU and memory resources of a virtualized guest operating system. An example of such a project, originally built on top of Napoca, is the HyperVisor-based Memory Introspection.
Technology highlights
- Being a type-1 (bare-metal) hypervisor, it offers control over and can improve the security of the primary operating system, starting right from the very beginning of the boot sequence
- Hardware-assisted virtualization makes the CPU, memory and all the other hardware devices available to the guest operating system, guaranteeing top notch system performance
- Allows interception of memory, MSR, IO, control register resources based on instruction emulation with customizable behavior
- Rich internal API, including memory management, guest memory management, CPU and virtual CPU management, guest to host communication, inter-processor communication and advanced debugging
- Can be deployed on UEFI as well as Legacy platforms by leveraging a provided UEFI loader or the GRUB boot loader
- A userland DLL and a handy sample console application are provided to ease the interaction with the underlying hypervisor
Main project components
- Napoca - the actual hypervisor implementation
- Winguest - Windows user mode (winguestdll) and kernel mode (winguest) components for installing, configuring and interacting with the hypervisor
- Winguest_sample - user mode sample application built on top of the Winguest code to use as a starting point for developing new tools and to showcase how to integrate the API
- EfiPreloader - a minimal and robust EFI loader application that can ease the adoption of UEFI Secure Boot by acting as a first stage loader that can enable a custom chain of trust for the hypervisor (and the OS) boot flow
- EfiLoader - Napoca boot loader application for UEFI systems
Building and Running
The project supports only the Microsoft Visual Studio build toolchain under Windows.
Prerequisites
- Visual Studio 2019
- Workloads
- Desktop Development with C++
- Individual components [recommended to leave already checked options enabled]
- MSVC v142 - VS 2019 C++ x64/x86 Spectre-mitigated libs (v14.XX) [version must match the version of an equivalent selected unmitigated lib]
- C++ ATL for latest v142 build tools with Spectre Mitigations (x86 & x64)
- Windows 10 SDK (10.0.18362) [1903]
- Workloads
- Windows 10 WDK 10.0.18362 [1903]
- NASM
- make sure it is added to the system
PATHvariable
- make sure it is added to the system
- Powershell 5.0 or later [should already be installed if using Windows 10]
- Enable powershell scripts: powershell.exe as Admin ->
Set-ExecutionPolicy Unrestricted-> [A] Yes to All
- Enable powershell scripts: powershell.exe as Admin ->
- Python 3
- py -3 -m pip install PyYAML
- Doxygen [optional, only required if generating html/latex documentation]
Build
- Full Build
dacia.slnusing desired platform and configuration options (e.g., x64 - Release)
Create deployable package
./deploy_binaries.ps1 -Platform x64 -Configuration Release -Destination .\install[customize as needed]
Install
- Disable secure boot on the target machine (if enabled)
- Copy the 'install' folder obtained previously to the target machine (Following commands assume the folder was copied to
c:\dacia) - Run
winguest_sample.exeas Administratordrvinstall C:\dacia\install\driver\winguest.inf {8a5531a8-2c02-482e-9b2e-99f8cacecc9d}\BdWinguestdrvconnectsetpath 1 C:\dacia\install\hv\setpath 2 C:\dacia\install\hv\updates_intro\setpath 3 C:\dacia\feedback\config enable
- Reboot
Validate
- Run
winguest_sample.exeas Administratordrvconnectqueryhvhelpto see more available commands
Credits
The entire Bitdefender Napoca team.