Stuck on kvm

[SEtihu23785678235]

I'm trying to get it working on a Kvm installation with nested virtualization enabled.

After about 30 seconds the system gets stuck. (If windbg is not connected, it gets stuck immediately). I don't get any exceptions. It's more like an infinite loop. Windbg shows that Debuggee is running.... Even the windbg .reboot command doesn't work. The system gets stuck even if I run only airhv.sys without HyperHideDrv.sys.

If I hit Break, the call stack is always the same(When both airhv.sys and HyperHideDrv.sys started):

nt!DbgBreakPointWithStatus nt!KdCheckForDebugBreak+0x11045c nt!KeAccumulateTicks+0x1ebcf5 nt!KiUpdateRunTime+0x5d nt!KiUpdateTime+0x4a1 nt!KeClockInterruptNotify+0x2e3 nt!HalpTimerClockInterrupt+0xe2 nt!KiCallInterruptServiceRoutine+0xa5 nt!KiInterruptSubDispatchNoLockNoEtw+0xfa nt!KiInterruptDispatchNoLockNoEtw+0x37 0xfffff8023b9b0000 nt!HvcallInitiateHypercall+0x61 nt!HvlNotifyLongSpinWait+0x24 nt!KeYieldProcessorEx+0x38 nt!KiGenericCallDpcWorker+0xd4 nt!KeGenericProcessorCallback+0x125 nt!KeGenericCallDpc+0x27 nt!EtwpFreeLoggerContext+0x173 nt!EtwpLogger+0x4a8 nt!PspSystemThreadStartup+0x55 nt!KiStartSystemThread+0x28

Where

0: kd> u fffff8023b9b0000 fffff8023b9b0000 0f01c1 vmcall fffff8023b9b0003 c3 ret fffff8023b9b0004 0000 add byte ptr [rax],al fffff8023b9b0006 0000 add byte ptr [rax],al

Ofc I can't step into vmcall. Cause I'm not very good at debug and hypervisor development, but I suspect I need to connect a second windbg for that.

Log:

[00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful [00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful [00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful [00:32:20.201] [INFORMATION] [perform_allocation:117] Allocation successful [00:32:20.206] [INFORMATION] [perform_allocation:117] Allocation successful [00:32:20.253] [INFORMATION] [init_vcpu:271] vcpu entry allocated successfully at FFFF9908CBF05190 [00:32:20.302] [INFORMATION] [init_vcpu:271] vcpu entry allocated successfully at FFFF9908CBF05270 [00:32:20.302] [INFORMATION] [init_logical_processor:367] vcpu 0 is now in VMX operation.

[00:32:20.302] [INFORMATION] [init_logical_processor:367] vcpu 1 is now in VMX operation.

[00:32:20.351] [INFORMATION] [DriverEntry:89] HyperVisor On [00:32:20.351] [INFORMATION] [DriverEntry:94] Got offsets [00:32:20.400] [INFORMATION] [DriverEntry:99] Got Ssdt [00:32:20.475] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffffee0000000000 [00:32:20.475] [INFORMATION] [DriverEntry:104] Hider Initialized [00:32:20.475] [INFORMATION] [DriverEntry:112] PsSetCreateThreadNotifyRoutine succeded [00:32:20.475] [INFORMATION] [DriverEntry:121] PsSetCreateProcessNotifyRoutine succeded [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA1 [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19 [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10 [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1BF [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x18D [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36 [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF3 [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25 [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC2 [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55 [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46 [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A [00:32:20.477] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31 [00:32:20.995] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x14B [00:32:20.995] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xC9 [00:32:20.995] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xF8 [00:32:20.998] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26 [00:32:20.998] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x12F [00:32:20.998] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C [00:32:21.001] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserBuildHwndList is equal: 0x1C [00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserFindWindowEx is equal: 0x6C [00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserQueryWindow is equal: 0x10 [00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetForegroundWindow is equal: 0x3C [00:32:21.004] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetThreadState is equal: 0x0 [00:32:21.077] [INFORMATION] [GetKiUserExceptionDispatcherAddress:1878] KiUserExceptionDispatcher address: 0x7ff90c470e90 [00:32:21.175] [INFORMATION] [HookKiDispatchException:1905] KiDispatchException address: 0xfffff8023ecc9360 [00:32:21.175] [INFORMATION] [DriverEntry:132] Syscalls Hooked [00:32:21.175] [INFORMATION] [DriverEntry:148] Driver initialized

[Air14]

Did you disable hyper-v?

[ddkwork]

Win11 23h2 have the same problem， can't get the dump file,because the driver loaded after 2 second the system was restarted. The bug relocated in vmm_init function.

[ddkwork]

Did you disable hyper-v?

Hello you, did you tested Windows11 23h2 22621?

[Air14]

Yes, in my case everything works fine.