Home

Awesome

Detection-Hyper-v

Method

KPRCB

void
DetectionHVByKPRCB(int &PowerStateHypervisor, int &PowerStateHvTargetState)
{
    auto PcrPtr = (build_17763::KPCR *)KeGetPcr();
    auto PrcbPtr = PcrPtr->CurrentPrcb;
    dprintf("PcrPtr=%p\n", PcrPtr);
    dprintf("PrcbPtr=%p\n", PrcbPtr);

    PowerStateHypervisor = PrcbPtr->PowerState.Hypervisor;
    dprintf("PowerStateHypervisor=%d\n", PowerStateHypervisor);

    PowerStateHvTargetState = PrcbPtr->PowerState.HvTargetState;
    dprintf("PowerStateHvTargetState=%d\n", PowerStateHvTargetState);
}

Compile

You should use llvm-msvc to compile this project link

Credit

@KelvinMsft