Joe Sandbox Hypervisor is a custom-built hypervisor designed for runtime inspection and behavior analysis of malicious code. It is implemented independently, without derivation from open-source virtualization platforms such as KVM or XEN, allowing it to run on both virtual machines and bare metal hardware (physical PCs, laptops, etc.). The hypervisor operates at ring -1 (a privilege level below the OS kernel), making it difficult for malware to detect. This stealth capability enables analysis of a broad range of malware, including kernel-mode rootkits, without triggering evasion mechanisms that malware commonly uses to detect virtual environments. During analysis, Joe Sandbox Hypervisor captures a wide range of dynamic behavioral data, including: - System calls with arguments - Kernel calls with arguments - User-mode API calls with arguments - Access to memory areas (e.g., the Windows Process Environment Block / PEB) - Access to performance counters - Execution of specific CPU instructions (e.g., CPUID) by both kernel and user code It supports mixed analysis environments, allowing the use of both virtual and physical machines simultaneously. Physical machine analysis is particularly useful for evasive malware that detects and avoids virtual environments. The hypervisor is designed to analyze malware at native speed without introducing latency. It functions as a plugin for Joe Sandbox Cloud.