HyperVinject: Making Virtual Machine Code Injections as Simple as Process Injections

No ratings

Presented at Recon 2025 by

Andrei Lutas

We present in this talk HyperVinject, the first tool capable of injecting code inside a running Hyper-V VM (Child Partition), from the Root Partition, as if it was a regular process. We describe in detail how this can be achieved step by step, from gaining control of the VM by injecting code inside the Virtual Machine Worker Process (vmwp.exe) running inside the Root Partition, injecting a small shellcode inside the kernel of the guest operating system running inside the VM, intercepting execution, and then finalizing the injection by deploying a small calc.exe spawning shellcode inside a user-mode process running inside the VM. On top of that, we will disclose several additional methods that can be used to inject code inside a running Hyper-V VM.