Geoff Chappell - Software Analyst
The HviGetHypervisorFeatures function obtains the output of a Microsoft-compatible hypervisor’s cpuid leaf 0x40000003.
VOID HviGetHypervisorFeatures (HV_HYPERVISOR_FEATURES *);
The one argument provides the address of a structure that is to receive the cpuid output.
The HV_HYPERVISOR_FEATURES in the declaration is hypothesised as Microsoft’s macro that stands for an appropriate processor-specific structure. For both the x86 (i386) and x64 (amd64) processors, this structure is named HV_X64_HYPERVISOR_FEATURES. Microsoft is known to define an HV_ARM64_HYPERVISOR_FEATURES structure when building for other processors, but this lies (far) outside the scope of this website.
The HviGetHypervisorFeatures function is exported by name from the kernel in version 10.0 and higher.
The version 6.3 kernel has an inline routine that is coded very similarly to the version 10.0 HviGetHypervisorFeatures. Public symbol files for the version 6.3 kernel confirm that this earlier kernel has an inline routine that was already named HviGetHypervisorFeatures and had as its one argument a pointer to what was then the HV_HYPERVISOR_FEATURES structure. That the inline routine in the binary is the same as named in the symbol files which is in turn the origin of the exported function must be all but certain.
The HviGetHypervisorFeatures function is not documented.
If a hypervisor is present and implements Microsoft’s interface—see HviIsHypervisorMicrosoftCompatible—then the function copies to the given address whatever cpuid leaf 0x40000003 produces in the eax, ebx, ecx and edx registers.
Otherwise, the structure at the given address is zeroed. This, in effect, is the function’s indication of failure.