 Cześć wszystkim, jestem Marek Kedzierski, pracowałem w Red Hat, teraz pracuję w VIRTIO WIN-team. Dzisiaj chciałbym rozmawiać o jakiś interesujący projekt, bardzo ciężki i bardzo interesujący projekt, który pracuję. Ten projekt jest związany z rozwiązaniem VIRTIO MEM DRIVER w Windowsie. A więc nazwa VIRTIO MEM w Windowsie. Ale przed tym zacząłem rozmawiać o pewnych technicznych detekści. Dlaczego to mnie najpierw przedstawiła agenda w tej prezentacji? Ok, najpierw mówię o VIRTIO MEM w narodzie. Nie chcę mówić w tak wiele detekcji o VIRTIO MEM, bo są tam jakieś świetne prezentacje o tym. Chcę tylko mówić o tym dla osób, którzy nie są w tym familijnym. To jest pierwsza rzecz. A po to po prostu wyprzestrzałem się do rozwiązań. Dlaczego projekt jest rozwiązaniem i co są rozwiązań? Dlaczego te dwie z nich są w detekcji? A po to po prostu wyprzestrzałem się do innych rzeczy. A po to po prostu po prostu wyprzestrzałem się do innych rzeczy. To jest jedna z najpierw powodów o wierci, jak i linki do opowiedzi, czy jakieś prezentacje, czy też o moich blokach. I potem mamy Q&A sesje. Ok, to zacznijmy. O, VIRTIO MEM w narodzie. Przede wszystkim techniczne detekcje, oficjalne opowiedzenie dla VIRTIO MEM jest po prostu bardziej kompleksujące. Powiedziałbym, że idealna idea na VIRTIO MEM jest dawać spokojna, krok, architektura, memoria, hod, umplug solucy, o których wyprzestrzał memię, limitacja, impulsowane przez techniczne technologii, architektury i interfejsy. Więc po prostu po prostu wyprzestrzałem się. VIRTIO MEM jest mechanizm parawirtualizmu i po prostu wyprzestrzałem się. Więc idea jest całkowicie proste. Jeśli mamy jakieś podróże, czyli VIRTIO MEM i po prostu podróże potrzebuje więcej podróże. Możemy po prostu dynamicznie zastanowić podróże do tego podróże. Dynamicznie to znaczy, że nie ma potrzeb od podróże. Jeśli na przykład hostem potrzebuje więcej podróże to możemy po prostu wyprzestrzać memię od podróży i po prostu wyprzestrzałem się. Jeśli są inne VMS które potrzebuje jakieś podróże możemy po prostu wyprzestrzać memię od jednego VMS i po prostu wyprzestrzałem się. To jest cała idea. To dynamiczny mechanizm więc, jak mówiłem, nie ma potrzebu podróże do podróże Ok, to jest cała rzecz, która jest potrzebna czy to jest w porządku żeby zrozumieć podróże. Trzeba powiedzieć, że są jakieś świetne prezentacje o tym całym podróże o połączeniach, o połączeniach o wyprzestrzenie nowego podróże o VTIO MEM i wszystko jest wprowadzone żeby powiedzieć o tym później podróże do prezentacji i do połączeniach VTIO MEM Ok, teraz po prostu wyprzestrzałem się w te techniczne decyzje ok, więc co jest ten challenge o wyprzestrzenianie VTIO MEM największy challenge który wytrzyma cały proces to po prostu wyprzestrzenie nowego podróże samochodu o wyprzestrzenie nowego podróże o wyprzestrzenianie VTIO MEM więc nie jest nic, co może być użyte nic, co ktoś może zrozumieć czy po prostu żadne informacje oficjalne czy inoficjalne, tylko nic i jedyny sposób złe informacje jest zrobić rewersyjny karnal i odwiedź niebezpieczny podróże ponieważ takich podróże po prostu podróże, to są więc po prostu myślimy co jest naprawdę potrzebne na początku w porządku, jeśli chcemy po prostu implementować taki rodzaj podróże co naprawdę potrzebujemy funkcjonować czy jakiś sposób po prostu odwiedź systemu operacji w bardzo dynamiczny sposób i to wszystko ponieważ na początku wspomniałem, że ta cała VTIO MEM to po prostu odwiedź po prostu odwiedź więc to dokładnie co musimy zrobić i też musimy zrozumieć to, co musimy zrozumieć więc dwa funkcje są potrzebne jedyne jest podróże podróże do OS i druga ok, najpierw jest po prostu oglądać dokumentację oficjalną niestety dokumentacja oficjalna nie oznacza więc nie da oznacza tak dużo informacji ale to podróże podróże do funkcjonowania MEM physical memory however there are no, there is no explanation detailed explanation about two functions and also both functions are described as reserved for system use so apparently they are not planned to be used by system programmers however, however, before we'll start digging into the functions it's just very important thing to look if the functions are somehow used in the underlying drivers in the operating system so the first step is just usually to look if you want to understand some functionality if it's, that's what you are looking for it's worth to take a look at the existing drivers let's see if some of them are using mentioned functions Windows provides several drivers for various types of memory I found at least three the first one was PNPM the second was the MVC and there were also some drivers related to some special types of memory resistant memory or DAX however, the drivers related to that kind of memory were completely useless in this case because of the way how memory is implemented in them so the only two drivers can be useful in order to extract and require information the first one is PNPMM PNPMM sees it's just a plug and play memory driver on Windows this is rather old driver it's been in the operating system for something like about 20 years interestingly driver references to functions MMAT physical memory and MMM physical memory so apparently that's what we are looking for however the fact that functions unreferenced it does not mean that they are actually used so it's the difference and another driver that should be analyzed which is the MVC it's a Hyper-V dynamic memory driver this is very specific driver that is run in guest guest running under control of Hyper-V Microsoft hypervisor and this driver references only one function MMAT physical memory and this driver provides functionality to add or remove memory to VM in a dynamic way so now let's take a deeper look at those two drivers the first one PNPMM it's a plug and play memory driver driver after dynamic analyzes of the cold and everything the conclusion is that it uses MMAT physical memory to really add memory and really this is really used so developers can use this call to add physical memory ranges to the system of course if memory is backed somehow, I mean the memory really exist this can be used for this purpose however when it comes to physical memory it's not clear because analysis of the driver just provided this discovery that revealed this fact that this function is not used by driver it's a reference but not used it can be used under special condition when one of the flag is set I don't want to speak about what are the conditions important thing is about this function that it's not so useful in our case because this function in order to remove part of the physical memory or memory range from the system we have to know exactly which physical memory range we want to remove and after adding physical memory to the system memory that has been added can be already in use maybe not the full but some let's say half of this memory so really don't know which exact ranges are currently used by operating system so this function is not so useful in our case it's completely let's say useless because we really don't know which ranges we can remove there is no API that can return information about memory ranges which are free which are not maybe there exist such kind of API but I haven't found anything like that from my reverse engineering so just ok, so let's skip this driver for now, let's just focus on the MVC Hyper-V dynamic memory driver it's not so old as the previous one because the MVC was developed for Hyper-V and this driver calls MMAT physical memory really for add memory range to this operating system however when it comes to removing the whole memory range it doesn't call and remove physical memory probably for the reason that I described it's absolutely makes sense because there is no API to just query which memory range is free or which was just already allocated and for that purpose it's interesting that this driver uses MM Allocate Note page for MDLX call that allocates some ranges of the memory and deeply seen details this function is not so documented I mean it's documented but the flag that is used by the driver MM Allocate and Hot Remove just removes the memory range from the system the flag is not documented in official documentation it's not documented at all however it's defined in one of the header files that are provided with SDK so that's how it was extracted however for reverse engineering I have found this particular call and that's how I figured it out and map finally this flag I mean the value hex value into that particular flag that has to be used so that's there were two things related to adding and removing memory and there is also another one challenging thing that is related to Hyper-V scenario after enabling the Hyper-V unfortunately MM Art Physical Memory doesn't work it face with error HV feature is not available as when Hyper-V is running we can run Hyper-V in two ways through installing Hyper-V installing Hyper-V roles or through enabling VBS or virtualization based security and after that when Hyper-V is running it's not possible to add physical memory so further investigation finally revealed that this add physical memory is called when Hyper-V is active executes calls undocumented hyper call that BC zero BC and this hyper call is not documented however I have found the name from one of the documents that were provided by security researchers and it's described as HV call Art Physical Memory so it looks like that this is something that is used to add physical memory and the question is why it doesn't work after just doing some analysis of this hyper call in Hyper-V which is a challenge because there are no symbols or anything it looks like that Hyper-V checks if it's being run under Microsoft or portable hypervisor and if it is then it checks one of the very special partition privilege flags that is called access hyper called MSRs if the two conditions are met then there is basically no problem with adding memory so what really need to do in this case in order to make this function call working under Hyper-V the hypervisor must be reported as Microsoft compatible partition privilege flag access hyper calls must be set in order to do it just it's enough to enable Hyper-V enlightenment under KVM if Hyper-V enlightenment are enabled then there is no problem with this function call and it's massive success so i talk about two different challenges regarding this implementation of VitaMM of course there are other challenges but i don't want to speak so much about them because they are not as challenges at the things that i mentioned before but i can just let's say insure describe them like NUMA support just checking because we are dealing with or testing because we are dealing with summary out in unknown so we have to make sure that driver works in specific scenarios like hibernate or something like that and also we have to pay attention to everything else that can be discovered during development because as i said project is challenging and this is very dynamic so when it comes to additional information if somebody is interested in this project i highly encourage to visit VitaMM by all web page that provides all information that is required to understand the VitaMM it also has some links to the presentation and everything there that can be used to learn about the project i also highly encourage to visit my own blog our windows man where i am providing information about the development of driver on windows and i am also sharing some and others information just that can be used to learn more about hyperveal or learn more about the KBM and low level stuff related to virtualization of the windows because the first one is about linux the second one my blog is only about windows and linux ok so that's basically all what i wanted to talk today so now i think that we can go into Q&A section so thank you for watching and i hope that you enjoy my presentation see you next time