Geoff Chappell - Software Analyst
The HviGetHypervisorVersion function obtains the output of a Microsoft-compatible hypervisor’s cpuid leaf 0x40000002.
VOID HviGetHypervisorVersion (HV_HYPERVISOR_VERSION_INFO *);
The one argument provides the address of a structure that is to receive the cpuid output.
The HviGetHypervisorVersion function is exported by name from the kernel in version 10.0 and higher.
The version 6.3 kernel has an inline routine that is coded very similarly to the version 10.0 HviGetHypervisorVersion, but it looks to be defined rather than used when compiling the source file (ntsym.c) for merging type information into the public symbol file and so its name is not recorded. The symbol file’s unreferenced LF_POINTER (0x1002) record for the HV_HYPERVISOR_VERSION_INFO is here thought to have been generated from this pointer’s use for this inline routine’s argument. That this inline routine in version 6.3 was already named HviGetHypervisorVersion and is the origin of the exported function must be very likely.
The HviGetHypervisorVersion function is not documented.
If a hypervisor is present and implements Microsoft’s interface—see HviIsHypervisorMicrosoftCompatible—then the function copies to the given address whatever cpuid leaf 0x40000002 produces in the eax, ebx, ecx and edx registers.
Otherwise, the structure at the given address is zeroed. This, in effect, is the function’s indication of failure.