4. Hypervisors (concepts and Architecture)
Ring Privilege Levels (Ring 3 to Ring -1)
x86/x64 processors implement hardware privilege levels called 'rings'. Binaries runs mainly at Ring 3 which is the lowest privilege level, the Windows kernel runs at Ring 0, and hardware hypervisors operate at Ring -1 (VMX Root mode for Intel, or SVM Root mode for AMD) — which is actually below the OS kernel itself, which is quite an important point to understand because it means the hypervisor has more privilege than even the OS kernel does.
Almost all of the binaries/apps you use are running at Ring 3 and does not has access or calls into lower rings.
Now Denuvo DOES NOT HAS access to lower rings, it simple calls information via kernel based binaries like ntoskrnl.exe, user32.dll etc.
Hence the hypervisor can intercept the calls from Denuvo games and the response from hardware and provide a different information, and since we now know that hypervisor bypass are not exactly a VM, we know why it has no performance loss compared to native cracks, like the cracks done by VOICES38, Alot of people have recorded shits on youtube and do various shits, all of them will be exposed at the very end of this article :3

Intel VT-x (VMX) vs AMD-V (SVM)

VM Exits and VMCS/VMCB
A VM exit is basically what happens when the CPU switches from executing guest code back to the hypervisor host side. VM exits can be triggered by many events— CPUID execution, RDTSC, memory access violations in EPT/NPT, I/O port accesses, and so on. Each VM exit has a performance cost because it has to save the full guest CPU state and transfer control to the host VMM, and then do the reverse when returning. The VMCS (Intel) or VMCB (AMD) is the data structure that controls what triggers these exits, holds the saved guest CPU state, and configures the entire guest and host environment. Understanding this structure is key to understanding how any hypervisor-based spoofing works.
Extended Page Tables (EPT) and Nested Paging (NPT)
Both Intel EPT and AMD NPT provide a second layer of page table translation — so there are actually two address translations happening:
guest virtual → guest physical → host physical.
The hypervisor is the one that controls this second translation table, and this gives it a very powerful capability, making the same 'physical' address appear different depending on how it is being accessed. An EPT hook works by configuring a specific guest physical page to point to a different host physical page for read vs. execute access, which is quite clever. This is exactly how KUSER_SHARED_DATA fields and GPU MMIO registers can be spoofed without actually modifying the real underlying physical page, as per the techniques described in the CrackL@b analysis.
Windows Hypervisor Platform (WHP) API
Now this is my fav part ehe :3
The Windows Hypervisor Platform (WHP) is a set of user-mode APIs exposed through WinHvPlatform.dll that allow creating and managing VMs from Ring 3, without writing any kernel drivers at all. Internally, WHP uses Microsoft Hyper-V which must be enabled on the host system. VM exits are delivered to the user-mode application as structured return values from WHvRunVirtualProcessor, which is quite convenient.
Key API calls include WHvCreatePartition, WHvCreateVirtualProcessor,
WHvGetVirtualProcessorRegisters, and WHvSetVirtualProcessorRegisters among others. This is what the WHP-based research platform in Section 6 uses — all custom control logic stays in user mode (Ring 3),leveraging Hyper-V at Ring -1 without needing any custom Ring 0 driver, and without any driver signing requirements whatsoever. This is what makes it a very practical choice for research purposes.
ALso the most important and cool fack about WHP is that it is kind of Hypervisor, with VM and emulation capability with a lower ring access, and it is MULTI-THREADED (just to be quick, you can say without this multi thread major AAA games can lag a lot or kind of thing- I won't cover this)