NovaHypervisor is a defensive x64 Intel host based hypervisor. The goal of this project is to protect against kernel based attacks (either via Bring Your Own Vulnerable Driver (BYOVD) or other means) by safeguarding defense products (AntiVirus / Endpoint Protection) and kernel memory structures and preventing unauthorized access to kernel memory.
NovaHypervisor is written in C++ and Assembly, and is designed to be compatible to run on Windows 10 and later versions. Please see the setup section for more information on how to use it.
Important
The hypervisor was tested on Windows 11 25H2 and multiple Windows 10 versions. If you encounter a problem, please open an issue after checking there isn't already an open issue.
NovaHypervisor can run under these hypervisors:
✅ - Supported and tested
⌛ - Work in progress
❌ - Not supported and not planned to be supported
| Hypervisor | Supported |
|---|---|
| VMware | ✅ |
| Hyper-V | ✅ |
| Hyper-V with VBS | ⌛ |
| VirtualBox | ❌ |
| QEMU | ❌ |
| KVM | ❌ |
To use the NovaHypervisor, you will need to create a kernel service and start it:
sc create NovaHypervisor type= kernel binPath= "C:\Path\To\NovaHypervisor.sys"
sc start NovaHypervisorThen, you can add and remove the addresses that you want to protect using the NovaClient application:
REM Add an address to protect
NovaClient.exe protect 0x12345678 <r|w|x> <execution hook>
REM Remove an address from protection
NovaClient.exe unprotect 0x12345678-
protect: Protect a memory address from being accessed, you can specify the type of protection:
r: Read protectionw: Write protectionx: Execute protection The protection that you give is the protection that the address will have. For example, if you want to remove execute privileges, do "rw".
-
unprotect: Remove protection from a memory address.
Note
Execution hook via inline hook + EPT hooks are not supported and will not be supported for this project to prevent abuse.
The setup to compile the project requires you to have:
- Visual Studio 2022 or later.
- Windows Driver Kit (WDK) installed.
To run the hypervisor, you will need to have a Windows 10 or later version installed on your machine. You will also need to have:
- Intel VT-x enabled.
- Virtualized IOMMU.
NovaHypervisor uses WPP logging as it provides easy to use interface that works also in VMX root. To be able to see the logs, make sure to create a trace session once:
logman create trace "NovaHypervisorLogs" -p {e74c1035-77d4-4c5b-9088-77056fae3aa3} 0xffffffff 0xff -o C:\Path\To\NovaHypervisor.etlLater on, whenever you want to start or end the logging session you can use:
logman start "NovaHypervisorLogs"
logman stop "NovaHypervisorLogs"To view the logs you can use tools such as TraceView.
To test and debug it in your testing environment run those commands with elevated cmd and then restart your machine:
bcdedit /set testsigning on
bcdedit /debug on
bcdedit /dbgsettings net hostip:<HOSTIP> port:55000 key:1.2.3.4Where <HOSTIP> is the IP address of your host machine.