Geoff Chappell - Software Analyst
The HviGetHardwareFeatures function obtains the output of a Microsoft-compatible hypervisor’s cpuid lleaf 0x40000006.
VOID HviGetHardwareFeatures (HV_HYPERVISOR_HARDWARE_FEATURES *);
The one argument provides the address of a structure that is to receive the cpuid output.
The HV_HYPERVISOR_HARDWARE_FEATURES in the declaration is hypothesised as Microsoft’s macro that stands for an appropriate processor-specific structure. For both the x86 (i386) and x64 (amd64) processors, this structure is named HV_X64_HYPERVISOR_HARDWARE_FEATURES. Microsoft is known to define an HV_ARM64_HYPERVISOR_HARDWARE_FEATURES structure when building for other processors, but this lies (far) outside the scope of this website.
The HviGetHardwareFeatures function is exported by name from the kernel in version 10.0 and higher.
Public symbol files for the version 6.3 kernel name HviGetHardwareFeatures as an internal routine that had as its one argument a pointer to what was then the HV_HYPERVISOR_HARDWARE_FEATURES structure, but the binary shows no sign of anything like what version 10.0 has as the HviGetHardwareFeatures function. Indeed, it has no known use of cpuid leaf 0x40000006. It is here thought that HviGetHardwareFeatures and at least one caller of it are defined in some header that was included by the source file (ntsym.c) whose compilation merges type information into the public symbol file, but then none of them are called from any source file whose compilation contributes to the kernel. Thus can HviGetHardwareFeatures be in the public symbols without a trace of it in the binary. Though it is not seen in the version 6.3 kernel, it plainly did exist. That it’s the origin of the exported function must be all but certain.
The HviGetHardwareFeatures function is not documented.
If a hypervisor is present and implements cpuid leaves at least to 0x40000006—see HviGetHypervisorVendorAndMaxFunction—then the function copies to the given address whatever cpuid leaf 0x40000006 produces in the eax, ebx, ecx and edx registers.
Otherwise, the structure at the given address is zeroed. This, in effect, is the function’s indication of failure.
This function does not check cpuid leaf 0x40000001 to establish that the hypervisor is Microsoft-compatible.