A Windows kernel-level security hypervisor designed for advanced system monitoring and protection. This project implements a custom hypervisor using Intel VMX (Virtual Machine Extensions) to provide stealth security monitoring at the hardware level.
Viper operates at Ring -1 (hypervisor level), below the operating system, making it invisible to malware and rootkits. It provides comprehensive system monitoring, memory protection, and security event detection without interfering with normal system operation.
- Intel VMX-based hypervisor implementation
- Extended Page Tables (EPT) for memory virtualization
- Multi-processor support with per-CPU VMCS management
- Stealth operation below the operating system
- SSDT/IDT/GDT protection and monitoring
- Kernel memory protection using EPT hooks
- Process creation and injection detection
- Anti-debugging and anti-analysis detection
- Code integrity verification
- Real-time network traffic monitoring
- Suspicious connection detection
- DDoS attack prevention
- Port scan detection
- Malware communication detection
- Hardware performance counter integration
- VM-exit latency measurement
- Security overhead analysis
- Real-time performance optimization
- Performance bottleneck detection
- DLL injection detection and prevention
- Code injection monitoring
- Process hollowing detection
- Thread hijacking detection
- APC injection monitoring
Viper/
├── srx/core/ # Core hypervisor implementation
│ ├── viper.c # Main hypervisor logic
│ ├── viper.h # Core function declarations
│ ├── common.h # Common definitions and structures
│ └── ia32.h # Intel architecture definitions
├── modules/ # Security and monitoring modules
│ ├── security.c # Security monitoring implementation
│ ├── network.c # Network monitoring
│ ├── performance.c # Performance monitoring
│ └── injection_detection.c # Injection detection
├── vmx/ # VMX assembly and structures
│ ├── VmxAsm.asm # VMX assembly routines
│ └── vmx.h # VMX structure definitions
├── mem/ # Memory management
│ ├── ept.c # Extended Page Tables implementation
│ └── ept.h # EPT structure definitions
└──
- Ring -1 execution using Intel VMX
- Hardware-assisted virtualization
- Extended Page Tables for memory virtualization
- VMCS (Virtual Machine Control Structure) management
- Memory protection using EPT hooks
- System table protection (SSDT, IDT, GDT)
- Process and thread monitoring
- Network traffic analysis
- Anti-debugging detection
- Hardware performance counters
- VM-exit optimization
- Selective monitoring
- Overhead minimization
- Visual Studio 2019 or later
- Windows Driver Kit (WDK) 10.0.22621.0
- Windows SDK 10.0.22621.0
- x64 platform support
This project is for educational and research purposes. The hypervisor provides a foundation for advanced security monitoring and protection systems.
- This hypervisor operates at the highest privilege level
- Proper testing and validation required before deployment
- Should only be used in controlled environments
- Requires proper driver signing for production use
CRITICAL: This software can cause system instability and blue screen errors if not properly configured or tested.
- This hypervisor operates at the hardware level and can crash your system
- Always test in a virtual machine first
- Ensure your hardware supports Intel VMX and EPT
- Improper configuration may result in system crashes or data loss
- This is educational software - use at your own risk
- Never run on production systems without thorough testing
This project demonstrates advanced Windows kernel programming concepts including:
- Hypervisor development using Intel VMX
- Windows driver development
- Assembly language integration
- Security monitoring implementation
- Performance optimization techniques
This project is for educational purposes. Use responsibly and in accordance with applicable laws and regulations.
This software is provided as-is for educational purposes. The authors are not responsible for any misuse or damage caused by this software. Always test in a controlled environment before deployment.
WARNING: This hypervisor can cause blue screen errors, system crashes, and data loss. Use only in controlled test environments with proper backup procedures.