Hypervisor based anti anti debug plugin for x64dbg

Air

Last update: Jan 8, 2023

Related tags

Debug HyperHide

Overview

HyperHide

Table of Contents

Description
Compilation
Support
Usage Information
Examples
Features
Remarks
License
Special thanks to

Description

HyperHide is open-source hypervisor based Anti-Anti-Debug plugin for x64dbg/x32dbg. HyperHide uses Intel ept to hook various syscalls and also other functions which can be used to spot the presence of debugger.

Compilation

In order to compile project you need WDK and Visual Studio 2019

Support

HyperHide supports all Windows versions from Windows 7 up to the newest version (x64 only), and works only on intel processors with VT-x and EPT support.

Usage Information

Download pre compiled binaries or compile source code yourself.

Turn on test signing mode by running below command in cmd with administrator rights (after turning on restart system)

bcdedit /set testsigning on

Put HyperHideDrv.sys and airhv.sys to C:\Windows\System32\drivers then open Scripts folder in repository and execute create.bat with administrator rights. In order to turn on both drivers execute on.bat with administrator rights. If you want to turn off both airhv and HyperHideDrv execute off.bat with administrator rights (remember to turn off all x64dbg/x32dbg instances before turning off drivers).

32-bit: Copy HyperHide.ini and HyperHide.dp32 to your \x32\plugins\ directory.

64-bit: Copy HyperHide.ini and HyperHide.dp64 to your \x64\plugins\ directory.

To check if HyperHide is working correctly, use DebugView.

Examples

Output from al-khaser 64 bit:

Output from al-khaser 32 bit:

Features

1. Process Environment Block (PEB)

The most important anti-anti-debug option. Almost every protector checks for PEB values.

First and the most important one is BeingDebugged field in PEB. This field is set when you start process with debugger and indicates its presence.

Second is NtGlobalFlag field. It is set to 0 by deafult but when process is started by debugger the following flags are set

FLG_HEAP_ENABLE_TAIL_CHECK (0x10)
FLG_HEAP_ENABLE_FREE_CHECK (0x20)
FLG_HEAP_VALIDATE_PARAMETERS (0x40)

When Clear Peb BeingDebugged checkbox is set in plugin options then everytime you start debugging HyperHideDrv will clear BeingDebugged.

When Clear Peb NtGlobalFlag checkbox is set in plugin options then everytime you start debugging HyperHidDrv will clear NtGlobalFlag (Do not use if you are attaching to existing process).

2. Heap Flags

Heap contains two flags which are affected by debugger.

First is Flags field in heap which by default is set to HEAP_GROWABLE when process is started by debugger Flags is set to combination of these flags:

x86:

HEAP_GROWABLE (2)
HEAP_TAIL_CHECKING_ENABLED (0x20)
HEAP_FREE_CHECKING_ENABLED (0x40)
HEAP_SKIP_VALIDATION_CHECKS (0x10000000)
HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

x64:

HEAP_GROWABLE (2)
HEAP_TAIL_CHECKING_ENABLED (0x20)
HEAP_FREE_CHECKING_ENABLED (0x40)
HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

Second one is ForceFlags which by default is set to 0 When process is started by debugger, ForceFlags is set to combination of these flags:

HEAP_TAIL_CHECKING_ENABLED (0x20)
HEAP_FREE_CHECKING_ENABLED (0x40)
HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

When Clear Heap Flags checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear set Flags and ForceFlags to their default value (Do Not use if you are attaching to existing process).

3. Process Flags

Windows uses various process flags which can be used to detect debugger or to make the debugging harder.

First flag is BreakOnTermination. When set process termination leads to bsod

When Clear ProcessBreakOnTermination checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process EPROCESS struct and save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

Second flag is ProcessHandleTracing. It indicates if process handle tracing is enable or not.

When Save ProcessHandleTracing checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

Third flag is ProcessDebugFlags

When Save ProcessHandleTracing checkbox is set in plugin options then everytime you start debugging HyperHideDrv will save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

4. Thread Flags

Windows uses various thread flags which can be used to detect debugger or to make the debugging harder.

First flag is ThreadHideFromDebugger. When set debugger loses control under thread.

When Clear ThreadHideFromDebugger Flag checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process thread ETHREAD struct and save information if it was set or not for further use in NtQueryInformationThread (Do Not use if you are starting process with debugger).

Second flag is BreakOnTermination. When set thread termination leads to bsod.

When Clear ThreadBreakOnTermination checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process thread ETHREAD struct and save information if it was set or not for further use in NtQueryInformationThread (Do Not use if you are starting process with debugger).

Third flag is BypassProcessFreeze. When set calling NtSuspendProcess will ignore all threads which have this flag set (Flag exist on Windows version 19h1 up to the newest).

When Clear BypassProcessFreeze Flag checkbox is set in plugin options then everytime you start debugging HyperHideDrv will clear this field in debugged process thread KTHREAD struct (Do Not use if you are starting process with debugger).

5. KUserSharedData

KUserShared data is global shared page between all usermode processes located always in same exact address (0x7FFE0000). KUserShared has a lot of counters which can be used to perform time attacks.

When KUserSharedData checkbox is set in plugin options then everytime you start debugging HyperHideDrv will swap pfn of process kusd with fake one. Everytime when process is paused HyperHideDrv will stop updating counters. And after resuming counter would have values derrived from kernel version of KUserShared located always in same exact addres (0xFFFFF78000000000) minus the time when they were paused.

When Clear KUserSharedData checkbox is set in plugin options then HyperHideDrv will clear KdDebuggerEnabled field (works only if usermode kusershareddata page is replaced with fake one)

6. KiExceptionDisptach

KiExceptionDisptach is kernelmode function responsible for handling exceptions. HyperHideDrv hook it to clear debug registers or to send fake debug context if it was previously set with NtSetContextThread\NtSetInformationThread\NtContinue.

When KiExceptionDisptach checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function

7. NtQueryInformationProcess

NtQueryInformationProcess can be called with various PROCESSINFOCLASS values to detect debugger, for example:

ProcessDebugPort is used to retrive port number of the debugger for the process. If process is debuged this function writes -1 (0xFFFFFFFFFFFFFFFF) to buffer passed in ProcessInformation. Otherwise it writes 0 (HyperHideDrv always return 0).
ProcessDebugObjectHandle is used to query debug object handle if there is no attached debugger function write 0 to passed buffer and return status STATUS_PORT_NOT_SET (0xC0000353). HyperHideDrv will always return STATUS_PORT_NOT_SET
ProcessDebugFlags is used to query process flag NoDebugInherit. If debugger is attached function returns 0 otherway it returns 1. HyperHideDrv will return value previosly saved from NtSetInformationProcess or value which was saved while attaching.
ProcessBreakOnTermination is used to retrive information if process has BreakOnTermination flag set or not. HyperHideDrv will return value previously saved from NtSetInformationProcess or value which was cleared while attaching.
ProcessBasicInformation is used to retrive information of process parent id. HyperHide will return explorer.exe pid.
ProcessIoCounters is used to retrive informaton about io counters. HyperHideDrv will write 1 to OtherOperationCount field in IO_COUNTERS.
ProcessHandleTracing is used to retrive information if process handle tracing is enabled. HyperHideDrv will return value previously saved from NtSetInformationProcess or value which was saved while attaching.

When NtQueryInformationProcess checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above cases.

8. NtQueryInformationThread

NtQueryInformationThread can be called with various THREADINFOCLASS values to detect debugger for example:

ThreadHideFromDebugger is used to check if thread which handle to was passed in ThreadHandle function parameter has HideFromDebugger flag set or not. HyperHideDrv will return to 0 or 1 depends if process previously attempted to hide thread via NtSetInformationThread or if thread was hidden while attaching to process.
ThreadBreakOnTermination is used to retrive information if thread has BreakOnTermination flag set or not. HyperHideDrv will return value previously saved from NtSetInformationThread or value which was cleared while attaching.
ThreadWow64Context is used to retrive WOW64 context. Can be used only on thread which belongs to WOW64 process. HyperHideDrv will return zeroed or fake debug registers which was previously set in NtSetInformationThread with flag ThreadWow64Context.

When NtQueryInformationThread checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above cases.

9. NtQueryInformationJobObject

NtQueryInformationJobObject called with JOBOBJECTINFOCLASS JobObjectBasicProcessIdList can be used to list ids of all processes assiociated with the job and its child jobs. One of them can be a debugger, for example x64dbg/x32dbg. HyperHideDrv will check all pids and clear it if it is same as debugger pid.

When NtQueryInformationJobObject checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above case.

10. NtQueryObject

NtQueryObject called with OBJECT_INFORMATION_CLASS ObjectTypeInformation or ObjectTypesInformation can be used to get number of existing DebugObject handles. Since debuggers create such handle when they are debugging HyperHideDrv will return decremented number of DebugObject handles one per each active debugger.

When NtQueryObject checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handle above cases.

11. NtQuerySystemInformation

NtQuerySystemInformation called with OBJECT_INFORMATION_CLASS:

SystemKernelDebuggerInformation, SystemKernelDebuggerFlags and SystemKernelDebuggerInformationEx can be used to check if there is active kernel debugger . HyperHideDrv will always return that there are not any active kernel debuggers.
- SystemProcessInformation, SystemSessionProcessInformation, SystemExtendedProcessInformation and SystemFullProcessInformation can be used to list all existing processes all their threads and their parent process id. HyperHideDrv will filter all forbidden processes like x64dbg/x32dbg, procmon, procexp and also will set explorer.exe as parent process pid.
SystemCodeIntegrityInformation is used to check if code integrity options is enabled. If it is not then you can load unsigned driver like for example HyperHideDrv. HyperHideDrv will always return that code integrity is enabled.
SystemExtendedHandleInformation and SystemHandleInformation is used to list all existing handles and process id which they belongs to. HyperHideDrv will filter all handles which belong to forbidden processes like x64dbg/x32dbg, procmon, procexp.

When NtQuerySystemInformation checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above cases.

12. NtQuerySystemTime

NtQuerySystemTime can be used to query system time. HyperHideDrv will take SystemTime value from hooked KUserSharedData if there is one, otherway it will call original NtQuerySystemTime save it value and eveytime later it will increment this saved value and return it.

When NtQuerySystemTime checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

13. NtQueryPerformanceCounter

Same as in NtQuerySystemTime

When NtQueryPerformanceCounter checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

14. NtSetInformationThread

NtSetInformationThread can be called with various THREADINFOCLASS values to detect debugger for example:

ThreadHideFromDebugger is used to hide process from debugger. HyperHideDrv will ignore that request and save information that this thread was requested to be hidden and will use that information later in NtQueryInformationThread.
ThreadWow64Context is used to set WOW64 thread context. Can be used only on thread which belongs to WOW64 process. HyperHideDrv will ignore that request and save debug registers passed in context and use later in NtQueryInformationThread.
ThreadBreakOnTermination is used to set thread BreakOnTermination flag. When thread with this flag set is terminated bsod is throwed. HyperHideDrv ignore that request and save that information for later use in NtQueryInformationThread.

When NtSetInformationThread checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande above cases.

15. NtSetInformationProcess

NtQueryInformationProcess can be called with various PROCESSINFOCLASS values to detect debugger for example:

ProcessDebugFlags is used to set process flag NoDebugInherit. HyperHideDrv will save that information for later use in NtQueryInformationProcess.
ProcessBreakOnTermination is used to set BreakOnTermination flag. When process with this flag set is terminated bsod is throwed. HyperHideDrv will ignore that request and save that information for later use in NtQueryInformationProcess.
ProcessHandleTracing is used to enable process handle tracing. HyperHideDrv will save that information for later use in NtQueryInformationProcess.

When NtSetInformationProcess checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande above cases.

16. NtSystemDebugControl

NtSystemDebugControl should return always STATUS_DEBUGGER_INACTIVE if there is no active debugger or in case when Command is set to SysDbgGetTriageDump return should be STATUS_INFO_LENGTH_MISMATCH

When NtSystemDebugControl checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

17. NtClose

NtClose is used to close a handle. If there is a active debugger attempting to close invalid handle or protected one, the function throws an exception. HyperHideDrv check if such conditions are met and return without exception being throwed.

When NtClose checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

18. NtSetContextThread

NtSetContextThread can be used to clear/set dr registers which are used for hardware breakpoints. HyperHideDrv will clear flag in ContextFlags so it won't change dr register. It will also save dr values from passed context for later use in NtGetContextThread\KiExceptionDispatch.

When NtSetContextThread checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

19. NtGetContextThread

NtGetContextThread can be used to retrive context with dr registers which are used for hardware breakpoints. HyperHideDrv will set these dr registers in context to this previously saved in NtSetContextThread and if there aren't any it will be zeroed.

When NtGetContextThread checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

20. NtCreateThreadEx

NtCreateThreadEx is used to create a thread. It is possible to pass thread flags to function for example HideFromDebugger or FreezeBypassProcessFreeze. HyperHideDrv will create thread and ignore these flags at the same time will save information about them for further use in NtQueryInformationThread.

When NtCreateThreadEx checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

21. NtCreateProcessEx

Similar to NtCreateUserProcess but NtCreateProcessEx is deprecated and not used in new windows versions.

When NtCreateProcessEx checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

22. NtCreateUserProcess

NtCreateUserProcess is used to create process. HyperHideDrv will hide newly created process until debugger or new process exit.

When NtCreateUserProcess checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

23. NtCreateFile

NtCreateFile can be used to create a handle to a driver. HyperHideDrv will check if debugged process want to create handle to one of forbidden driver.

When NtCreateFile checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

24. NtYieldExecution

This method is not really reliable because it only shows if there a high priority thread in the current process. HyperHideDrv will always return STATUS_SUCCESS.

When NtYieldExecution checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

25. NtOpenProcess

NtOpenProcess can be used to enumerate all existing process since every process has it own pid. HyperHideDrv will check if pid belongs to any forbidden process like x64dbg/x32dbg, procmon, procexp.

When NtOpenProcess checkbox is set in plugin options then, everytime you start debugging HyperHideDrv will hook this function and hande it.

26. NtOpenThread

Same as NtOpenProcess but instead pid it uses tid (Thread ID)

When NtOpenThread checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

27. NtGetNextProcess

Same as NtOpenProcess but instead pid it uses process handle

When NtGetNextProcess checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

28. NtContinue

Same as NtSetContextThread

When NtContinue checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

29. NtUserFindWindowEx

NtUserFindWindowEx can be used to retrieve a handle to the top-level window whose class name and window name match the specified strings. HyperHideDrv will check if specified names are forbidden.

When NtUserFindWindowEx checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

30. NtUserGetForegroundWindow

NtUserGetForegroundWindow can be used to retrieve a handle to the foreground window. If it is handle to debugger window then HyperHideDrv return NtUserGetThreadState with THREADSTATE_ACTIVEWINDOW.

When NtUserGetForegroundWindow checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

31. NtUserQueryWindow

NtUserQueryWindow can be used to retrieve the identifier of the thread that created the specified window or the identifier of the process that created the window. HyperHideDrv will check if window handle belongs to debugger and return debugged process pid or tid.

When NtUserQueryWindow checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

32. NtUserBuildHwndList

NtUserBuildHwndList can be used to list all windows. HyperHideDrv will find every handle to forbidden window and clear information about it.

When NtUserBuildHwndList checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

Remarks

Never run this driver on production system. Use virtual machine instead

License

HyperHide is under the GNU General Public License v3.

Special thanks to

ScyllaHide developers

al-khaser by Noteworthy

Check Point for Anti-Debug Tricks

Peter Ferrie for his Anti-Debug pdf

Comments

BOSD hv::vmread(GUEST_LDTR_SELECTOR);


Microsoft (R) Windows Debugger Version 10.0.22000.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (6 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff806`72800000 PsLoadedModuleList = 0xfffff806`7342a190
Debug session time: Fri Aug 27 16:09:05.529 2021 (UTC + 8:00)
System Uptime: 0 days 0:05:00.392
Loading Kernel Symbols
...............................................................
.........Page 403808 not present in the dump file. Type ".hh dbgerr004" for details
.......................................................
................................................................
............
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`01291018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.........
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000014ffd0a, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8067d13d64c, address which referenced memory

Debugging Details:
------------------

Unable to load image \??\D:\Debugger\xgDebuger\airhv.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2187

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 9408

    Key  : Analysis.Init.CPU.mSec
    Value: 2312

    Key  : Analysis.Init.Elapsed.mSec
    Value: 15751

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 105

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  d1

BUGCHECK_P1: 14ffd0a

BUGCHECK_P2: ff

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8067d13d64c

READ_ADDRESS:  00000000014ffd0a 

ADDITIONAL_DEBUG_TEXT:  The trap occurred when interrupts are disabled on the target.

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  xcoronahost.xem

TRAP_FRAME:  ffffe30835072cc0 -- (.trap 0xffffe30835072cc0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=00000000014ffd0a
rdx=0000000000005658 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8067d13d64c rsp=ffffe30835072e50 rbp=00000000f344c014
 r8=0000000000e8b86f  r9=0000000000000000 r10=0000000000000000
r11=000000000111e250 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di ng nz na po nc
airhv!vmexit_ldtr_access_handler+0xbc:
fffff806`7d13d64c 488901          mov     qword ptr [rcx],rax ds:00000000`014ffd0a=????????????????
Resetting default scope

BAD_STACK_POINTER:  ffffe30835072b78

STACK_TEXT:  
ffffe308`35072b78 fffff806`72c09169     : 00000000`0000000a 00000000`014ffd0a 00000000`000000ff 00000000`00000000 : nt!KeBugCheckEx
ffffe308`35072b80 fffff806`72c05469     : 1336d8ff`fff8067d ae6000ff`fff8067d 000040ff`fff80672 ae584a00`00000000 : nt!KiBugCheckDispatch+0x69
ffffe308`35072cc0 fffff806`7d13d64c     : 00000000`0000080c fffff806`7d13ce77 ffffe308`35072ff8 fffff806`7d13d331 : nt!KiPageFault+0x469
ffffe308`35072e50 fffff806`7d13dac8     : ffffe308`28913a70 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_ldtr_access_handler+0xbc [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 228] 
ffffe308`35072ec0 fffff806`7d13139c     : ffffe308`35072f20 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_handler+0xe8 [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 1439] 
ffffe308`35072f00 ffffe308`35072f20     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmm_entrypoint+0x4c [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\asm\vm_context.asm @ 60] 
ffffe308`35072f08 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffffe308`35072f20


FAULTING_SOURCE_LINE:  D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp

FAULTING_SOURCE_FILE:  D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp

FAULTING_SOURCE_LINE_NUMBER:  228

FAULTING_SOURCE_CODE:  
   224: 	{
   225: 		// SLDT
   226: 		case 0:
   227: 		{
>  228: 			*linear_address = hv::vmread(GUEST_LDTR_SELECTOR);
   229: 
   230: 			break;
   231: 		}
   232: 
   233: 		// STR


SYMBOL_NAME:  airhv!vmexit_ldtr_access_handler+bc

MODULE_NAME: airhv

IMAGE_NAME:  airhv.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  bc

FAILURE_BUCKET_ID:  DISABLED_INTERRUPT_FAULT_STACKPTR_ERROR_airhv!vmexit_ldtr_access_handler

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {d9cba956-7904-06a1-f790-6a47973b5789}

Followup:     MachineOwner
---------


}...

opened by gamegrd 5

[SC] StartService FAILED 31: a device attached to the system is not functioning

DebugView seems to have shown nothing interesting? i'm sure that i did anything on README. Airhv is fine, but hyperhidedrv can't start. (windows 11 and patchguard is disabled)

opened by virginity-is-cool 3
HookedNtYieldExecution return value error

if(Hider::IsHidden(IoGetCurrentProcess(), HIDE_NT_YIELD_EXECUTION) == TRUE) { OriginalNtYieldExecution(); return STATUS_SUCCESS; //return here STATUS_NO_YIELD_PERFORMED }

opened by taodaqiao 1
Fucking BSOD

Hi,i try use this plugin for bypass antidebug themida (last vershion). If i start on.bat,then i get BSOD. I am just starting to learn in drivers so I can't fix it. Code mistake:WHEA UNCORRECTABLE ERROR Dump: https://drive.google.com/file/d/1ZZdgCOR3n5V5I8wAcOmC2cUh_cXDttD_/view?usp=sharing

Also i recomended add hook NtQueryLicenseValue.It's can call from ring3 for check test mode(CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners). You can see mode informathion hear: https://github.com/HyperSine/Windows10-CustomKernelSigners

opened by Ahora57 1
AMD CPU failed to turn on the driver
My CPU is AMD 1950x and CPU virtualization is enabled, but the driver is always in the state of loading failure.

I System Ver: Microsoft Windows [Version 10.0.19043.1110]

I started the test mode of windows 10 with the following command to allow unsigned driver loading options.

The driver could not be loaded

bcdedit.exe /set nointegritychecks on bcdedit.exe /set loadoptions DDISABLE_INTEGRITY_CHECKS bcdedit.exe /set testsigning on

error: C:\Windows\system32>sc start airhv [SC] StartService fail 2: C:\Windows\system32>sc start HyperHideDrv [SC] StartService fail 31:
opened by bitxx 1
DRIVER_IRQL_NOT_LESS_OR_EQUAL on WIN7X64 with HyperHide_2021-07-19
Loading Dump File [C:\Windows\Minidump\072121-11247-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv* Executable search path is: Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.24384.amd64fre.win7sp1_ldr_escrow.190220-1800 Machine Name: Kernel base = 0xfffff80005251000 PsLoadedModuleList = 0xfffff8000548ac90 Debug session time: Wed Jul 21 13:33:27.203 2021 (UTC + 8:00) System Uptime: 0 days 0:01:57.592 Loading Kernel Symbols

1: kd> !analyze -v

*

Bugcheck Analysis *

*

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: fffff88003b80000, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, value 0 = read operation, 1 = write operation Arg4: fffff8800307ab03, address which referenced memory

Debugging Details:

*** WARNING: Unable to verify timestamp for airhv.sys fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock GetUlongPtrFromAddress: unable to read from fffff800054ee300

KEY_VALUES_STRING: 1

Key : Analysis.CPU.Sec Value: 3 Key : Analysis.DebugAnalysisProvider.CPP Value: Create: 8007007e on WIN-3TVJD1ASNOS Key : Analysis.DebugData Value: CreateObject Key : Analysis.DebugModel Value: CreateObject Key : Analysis.Elapsed.Sec Value: 11 Key : Analysis.Memory.CommitPeak.Mb Value: 68 Key : Analysis.System Value: CreateObject

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: d1

BUGCHECK_P1: fffff88003b80000

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8800307ab03

READ_ADDRESS: fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock Unable to get MmSystemRangeStart GetUlongPtrFromAddress: unable to read from fffff800054ee2f0 GetUlongPtrFromAddress: unable to read from fffff800054ee4a8 fffff88003b80000

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: vmtoolsd.exe

TRAP_FRAME: fffffa8031432cd0 -- (.trap 0xfffffa8031432cd0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=000000000000f5d8 rdx=000000000000fed0 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8800307ab03 rsp=fffffa8031432e60 rbp=fffffa8031bff810 r8=000000000000fec0 r9=0000000000000020 r10=0000000000000718 r11=fffffa8031432e68 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up di pl nz na pe nc airhv+0x9b03: fffff880`0307ab03 f36e rep outs dx,byte ptr [rsi] Resetting default scope

BAD_STACK_POINTER: fffffa8031432b88

STACK_TEXT:
fffffa8031432b88 fffff800052f2f69 : 000000000000000a fffff88003b80000 0000000000000002 0000000000000000 : nt!KeBugCheckEx fffffa8031432b90 fffff800052f0d88 : 0000000000000000 fffff88003b80000 0000000000000000 fffff88003b7f718 : nt!KiBugCheckDispatch+0x69 fffffa8031432cd0 fffff8800307ab03 : fffff80005264d0f fffff88000000001 000000007ff4c718 0000000000000000 : nt!KiPageFault+0x448 fffffa8031432e60 fffff80005264d0f : fffff88000000001 000000007ff4c718 0000000000000000 fffff8a001937ce0 : airhv+0x9b03 fffffa8031432e68 fffff88000000001 : 000000007ff4c718 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 : nt!MmCreateMdl+0xb7 fffffa8031432e70 000000007ff4c718 : 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 : 0xfffff88000000001 fffffa8031432e78 0000000000000000 : fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 fffff880`0307a15d : 0x7ff4c718

SYMBOL_NAME: airhv+9b03

MODULE_NAME: airhv

IMAGE_NAME: airhv.sys

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: X64_0xD1_STACKPTR_ERROR_airhv+9b03

OS_VERSION: 7.1.7601.24384

BUILDLAB_STR: win7sp1_ldr_escrow

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {7ac92028-be9a-ed12-5957-bd8308811d0f}

Followup: MachineOwner
opened by jianxq 1
Crash with HyperHide_2021-06-13
Loading Dump File [C:\Windows\Minidump\062621-23977-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv* Executable search path is: Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.24441.amd64fre.win7sp1_ldr.190418-1735 Machine Name: Kernel base = 0xfffff80006808000 PsLoadedModuleList = 0xfffff80006a41c90 Debug session time: Sat Jun 26 23:37:11.662 2021 (UTC + 8:00) System Uptime: 0 days 1:21:39.427 Loading Kernel Symbols ............................................................... ................................................................ .................................................. Loading User Symbols Loading unloaded module list .......... For analysis of this file, run !analyze -v 3: kd> !analyze -v

*

Bugcheck Analysis *

*

CRITICAL_STRUCTURE_CORRUPTION (109) This bugcheck is generated when the kernel detects that critical kernel code or data have been corrupted. There are generally three causes for a corruption:

A driver has inadvertently or deliberately modified critical kernel code or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx

A developer attempted to set a normal kernel breakpoint using a kernel debugger that was not attached when the system was booted. Normal breakpoints, "bp", can only be set if the debugger is attached at boot time. Hardware breakpoints, "ba", can be set at any time.

A hardware corruption occurred, e.g. failing RAM holding kernel code or data. Arguments: Arg1: a3a039d8a7a328fd, Reserved Arg2: b3b7465efa213a23, Reserved Arg3: 00000000c0000080, Failure type dependent information Arg4: 0000000000000007, Type of corrupted region, can be 0 : A generic data region 1 : Modification of a function or .pdata 2 : A processor IDT 3 : A processor GDT 4 : Type 1 process list corruption 5 : Type 2 process list corruption 6 : Debug routine modification 7 : Critical MSR modification 8 : Object type 9 : A processor IVT a : Modification of a system service function b : A generic session data region c : Modification of a session function or .pdata d : Modification of an import table e : Modification of a session import table f : Ps Win32 callout modification 10 : Debug switch routine modification 11 : IRP allocator modification 12 : Driver call dispatcher modification 13 : IRP completion dispatcher modification 14 : IRP deallocator modification 15 : A processor control register 16 : Critical floating point control register modification 17 : Local APIC modification 18 : Kernel notification callout modification 19 : Loaded module list modification 1a : Type 3 process list corruption 1b : Type 4 process list corruption 1c : Driver object corruption 1d : Executive callback object modification 1e : Modification of module padding 1f : Modification of a protected process 20 : A generic data region 21 : A page hash mismatch 22 : A session page hash mismatch 23 : Load config directory modification 24 : Inverted function table modification 25 : Session configuration modification 26 : An extended processor control register 27 : Type 1 pool corruption 28 : Type 2 pool corruption 29 : Type 3 pool corruption 2a : Type 4 pool corruption 2b : Modification of a function or .pdata 2c : Image integrity corruption 2d : Processor misconfiguration 2e : Type 5 process list corruption 2f : Process shadow corruption 30 : Retpoline code page corruption 101 : General pool corruption 102 : Modification of win32k.sys

Debugging Details:

fffff800069ea0e8: Unable to get Flags value from nt!KdVersionBlock GetUlongPtrFromAddress: unable to read from fffff80006aa5300

KEY_VALUES_STRING: 1

Key : Analysis.CPU.Sec Value: 1 Key : Analysis.DebugAnalysisProvider.CPP Value: Create: 8007007e on XU-PC Key : Analysis.DebugData Value: CreateObject Key : Analysis.DebugModel Value: CreateObject Key : Analysis.Elapsed.Sec Value: 1 Key : Analysis.Memory.CommitPeak.Mb Value: 66 Key : Analysis.System Value: CreateObject

BUGCHECK_CODE: 109

BUGCHECK_P1: a3a039d8a7a328fd

BUGCHECK_P2: b3b7465efa213a23

BUGCHECK_P3: c0000080

BUGCHECK_P4: 7

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

STACK_TEXT:
fffff88004d08498 0000000000000000 : 0000000000000109 a3a039d8a7a328fd b3b7465efa213a23 00000000c0000080 : nt!KeBugCheckEx

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: BAD_STACK_0x109

OS_VERSION: 7.1.7601.24441

BUILDLAB_STR: win7sp1_ldr

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {b4d7023a-05c3-49b2-3ea4-6240fe57d90e}

Followup: MachineOwner
opened by TinyOra 1
Compile failed （win7 x64 6.1.7601.24441）

When i try to compile the latest code, i got a lot of errors, can someone tell me how to fix? thanks for a lot.

Details: Windows 7 x64 sp1 ( 6.1.7601.24441) Microsoft Visual Studio Enterprise 2019 version 16.10.2 WDK 10.0.19030.1000

opened by TinyOra 1
Crash when selecting KUserSharedData or Clear KUserSharedData
Loading Dump File [F:\061221-52203-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary ************** Response Time (ms) Location Deferred srv* Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 18362 MP (16 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 18362.1.amd64fre.19h1_release.190318-1202 Machine Name: Kernel base = 0xfffff8056cc00000 PsLoadedModuleList = 0xfffff8056d0432b0 Debug session time: Sat Jun 12 13:51:05.767 2021 (UTC + 11:00) System Uptime: 0 days 16:38:38.687 Loading Kernel Symbols ............................................................... ................................................................ ................................... Loading User Symbols Loading unloaded module list .................................................. For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff8056cdbc8a0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa2824a02f2d0=0000000000000050 4: kd> !analyze -v

*

Bugcheck Analysis *

*

PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffba8c0b649900, memory referenced. Arg2: 0000000000000011, value 0 = read operation, 1 = write operation. Arg3: ffffba8c0b649900, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000002, (reserved)

Debugging Details:

*** WARNING: Unable to verify timestamp for HyperHideDrv.sys

Could not read faulting driver name

KEY_VALUES_STRING: 1

Key : Analysis.CPU.Sec Value: 8 Key : Analysis.DebugAnalysisProvider.CPP Value: Create: 8007007e on E5_1 Key : Analysis.DebugData Value: CreateObject Key : Analysis.DebugModel Value: CreateObject Key : Analysis.Elapsed.Sec Value: 34 Key : Analysis.Memory.CommitPeak.Mb Value: 70 Key : Analysis.System Value: CreateObject

BUGCHECK_CODE: 50

BUGCHECK_P1: ffffba8c0b649900

BUGCHECK_P2: 11

BUGCHECK_P3: ffffba8c0b649900

BUGCHECK_P4: 2

WRITE_ADDRESS: fffff8056d16e3b0: Unable to get MiVisibleState Unable to get NonPagedPoolStart Unable to get NonPagedPoolEnd Unable to get PagedPoolStart Unable to get PagedPoolEnd fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock unable to get nt!MmSpecialPagesInUse ffffba8c0b649900

MM_INTERNAL_CODE: 2

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: procexp64.exe

TRAP_FRAME: ffffa2824a02f570 -- (.trap 0xffffa2824a02f570) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000004025 rbx=0000000000000000 rcx=0000000fffffffff rdx=fffffc7e3f1f8000 rsi=0000000000000000 rdi=0000000000000000 rip=ffffba8c0b649900 rsp=ffffa2824a02f708 rbp=fffff805781a9ea0 r8=0000000000000001 r9=0000000000010fd4 r10=fffffffff4a68134 r11=000000000034bdea r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac po nc ffffba8c0b649900 0300 add eax,dword ptr [rax] ds:0000000000004025=???????? Resetting default scope

STACK_TEXT:
ffffa2824a02f2c8 fffff8056cddfd54 : 0000000000000050 ffffba8c0b649900 0000000000000011 ffffa2824a02f570 : nt!KeBugCheckEx ffffa2824a02f2d0 fffff8056cc7aaef : 0000000000000000 0000000000000011 0000000000000000 ffffba8c0b649900 : nt!MiSystemFault+0x1d2d64 ffffa2824a02f3d0 fffff8056cdca79a : 0000000000000000 00001f8000000100 0000000000000000 fffff805781a9ebc : nt!MmAccessFault+0x34f ffffa2824a02f570 ffffba8c0b649900 : 9100000004025025 ffff82812e603000 ffffba8c003de870 000000023ff05000 : nt!KiPageFault+0x35a ffffa2824a02f708 9100000004025025 : ffff82812e603000 ffffba8c003de870 000000023ff05000 fffff805781a36c2 : 0xffffba8c0b649900 ffffa2824a02f710 ffff82812e603000 : ffffba8c003de870 000000023ff05000 fffff805781a36c2 0000000000000002 : 0x9100000004025025 ffffa2824a02f718 ffffba8c003de870 : 000000023ff05000 fffff805781a36c2 0000000000000002 000000000034be08 : 0xffff82812e603000 ffffa2824a02f720 000000023ff05000 : fffff805781a36c2 0000000000000002 000000000034be08 fffff8056cc01000 : 0xffffba8c003de870 ffffa2824a02f728 fffff805781a36c2 : 0000000000000002 000000000034be08 fffff8056cc01000 ffffba8c0b649900 : 0x000000023ff05000 ffffa2824a02f730 0000000000000002 : 000000000034be08 fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 : HyperHideDrv+0x36c2 ffffa2824a02f738 000000000034be08 : fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c : 0x2 ffffa2824a02f740 fffff8056cc01000 : ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 : 0x34be08 ffffa2824a02f748 ffffba8c0b649900 : fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 : nt!SeConvertSecurityDescriptorToStringSecurityDescriptor+0xfffffffffffffff0 ffffa2824a02f750 fffff805781ac2b0 : fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 0000000000000000 : 0xffffba8c0b649900 ffffa2824a02f758 fffff8056ccdc92c : ffffba8c08e71eb0 0000000000000002 0000000000000000 0000000000000000 : HyperHideDrv+0xc2b0 ffffa2824a02f760 fffff805781a1e10 : ffffba8c003de870 ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 : nt!KeAcquireGuardedMutex+0x1c ffffa2824a02f790 ffffba8c003de870 : ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 : HyperHideDrv+0x1e10 ffffa2824a02f798 ffffba8c0dc8e380 : ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 0000000000000000 : 0xffffba8c003de870 ffffa2824a02f7a0 ffffba8c08e71eb0 : fffff8056cf503a9 0000000000000000 0000000000000000 0000000000000000 : 0xffffba8c0dc8e380 ffffa2824a02f7a8 fffff8056cf503a9 : 0000000000000000 0000000000000000 0000000000000000 fffff805781a1489 : 0xffffba8c08e71eb0 ffffa2824a02f7b0 fffff8056cc31cc9 : ffffba8c08e71eb0 0000000000000001 0000000000000001 000000000000020c : nt!_guard_retpoline_exit_indirect_rax+0x9 ffffa2824a02f800 fffff8056d1eb6c5 : ffffa2824a02fb80 ffffba8c08e71eb0 0000000000000001 ffffba8c0b70d690 : nt!IofCallDriver+0x59 ffffa2824a02f840 fffff8056d1eb01a : ffffba8c08e71eb0 ffffa2824a02fb80 000000000022240c ffffa2824a02fb80 : nt!IopSynchronousServiceTail+0x1a5 ffffa2824a02f8e0 fffff8056d1eaa36 : ba8c0d9ed5b0ffed 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x5ca ffffa2824a02fa20 fffff8056cdcdf98 : 0000000000000001 ffffa2824a02fb00 0000000000000000 ffffa2824a02fa00 : nt!NtDeviceIoControlFile+0x56 ffffa2824a02fa90 00007ffeb4bdc144 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28 000000c7ab4ff758 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffe`b4bdc144

SYMBOL_NAME: HyperHideDrv+36c2

MODULE_NAME: HyperHideDrv

IMAGE_NAME: HyperHideDrv.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 36c2

FAILURE_BUCKET_ID: AV_INVALID_HyperHideDrv!unknown_function

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {d37c959a-417f-c891-0472-d90c19d031fc}

Followup: MachineOwner
opened by baby0o01999 1
Please also handle NtContinueEx

Hello,

First of all let me say that you created here a really great peace of software, thank you very much.

But now to the issue, since windows 10 2004 MSFT added an extended version of the NtContinue sys call called NtContinueEx And I already have seen it being used for example by the Line messager.

It would be great if you could add handling for the NtContinueEx as well

Cheers David

opened by DavidXanatos 1
Failed to load plugin in x64dbg
When I open x64dbg I get [PLUGIN] Failed to load plugin: HyperHide.dp64 in the logs. I made sure that the airhv and HyperHideDrv drivers were loaded by using driverquery.

My Installation steps

Copy HyperHideDrv.sys and airhv.sys to C:\Windows\System32\drivers

Disable driver signing

Run create.bat script as administrator

Run on.bat script as administrator

Copy HyperHide.dp64 and HyperHide.ini to x64dbg plugins folder

Run x64dbg

Computer details

Windows 10 19043.928

Intel Core i7-4770HQ

x64dbg snapshot_2021-05-08_14-17
opened by dustinlieu 1
sign incorrectly

cmd: C:\WINDOWS\system32>sc start airhv [SC] StartService FAILED 577:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

C:\WINDOWS\system32>sc start HyperHideDrv [SC] StartService FAILED 577:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

C:\WINDOWS\system32>pause Press any key to continue . . .

opened by reltkaine 1

Releases(HyperHide_2022-08-07)

HyperHide_2022-08-07(Aug 7, 2022)
Added:

Dynamically retrieving syscall numbers

System pool tag information filtration

Source code(tar.gz)
Source code(zip)
HyperHide.zip(1.09 MB)
HyperHide_2021-10-14(Oct 14, 2021)

Added suport for Windows 11 and Windows 21H2 and fixed some minor bugs
Source code(tar.gz)
Source code(zip)
HyperHide.zip(122.23 KB)
HyperHide_2021-08-25(Aug 25, 2021)
BUGFIX:

#9

#12

Source code(tar.gz)
Source code(zip)
HyperHide.7z(86.22 KB)
HyperHide_2021-08-01(Aug 1, 2021)

Source code(tar.gz)
Source code(zip)
HyperHide.7z(85.44 KB)
HyperHide_2021-07-19(Jul 19, 2021)
FEATURES:

Ability to hide presence of hypervisor (only via cpuid, rdtsc/rdtscp still not supported)

Source code(tar.gz)
Source code(zip)
HyperHide.7z(85.16 KB)
HyperHide_2021-06-13(Jun 13, 2021)
BUGFIX:

Fixed hypervisor msr read/write handling

#3

Source code(tar.gz)
Source code(zip)
HyperHide_2021-06-06(Jun 6, 2021)

Source code(tar.gz)
Source code(zip)
HyperHide.7z(83.82 KB)

Hypervisor based anti anti debug plugin for x64dbg

Related tags

Overview

HyperHide

Description

Compilation

Support

Usage Information

Examples

Features

1. Process Environment Block (PEB)

2. Heap Flags

3. Process Flags

4. Thread Flags

5. KUserSharedData

6. KiExceptionDisptach

7. NtQueryInformationProcess

8. NtQueryInformationThread

9. NtQueryInformationJobObject

10. NtQueryObject

11. NtQuerySystemInformation

12. NtQuerySystemTime

13. NtQueryPerformanceCounter

14. NtSetInformationThread

15. NtSetInformationProcess

16. NtSystemDebugControl

17. NtClose

18. NtSetContextThread

19. NtGetContextThread

20. NtCreateThreadEx

21. NtCreateProcessEx

22. NtCreateUserProcess

23. NtCreateFile

24. NtYieldExecution

25. NtOpenProcess

26. NtOpenThread

27. NtGetNextProcess

28. NtContinue

29. NtUserFindWindowEx

30. NtUserGetForegroundWindow

31. NtUserQueryWindow

32. NtUserBuildHwndList

Remarks

License

Special thanks to

Comments

Debugging Details:

Followup: MachineOwner

Debugging Details:

Followup: MachineOwner

Debugging Details:

Followup: MachineOwner

Releases(HyperHide_2022-08-07)

HyperHide_2022-08-07(Aug 7, 2022)

HyperHide_2021-10-14(Oct 14, 2021)

HyperHide_2021-08-25(Aug 25, 2021)

HyperHide_2021-08-01(Aug 1, 2021)

HyperHide_2021-07-19(Jul 19, 2021)

HyperHide_2021-06-13(Jun 13, 2021)

HyperHide_2021-06-06(Jun 6, 2021)

Owner

Air

A plugin for x64dbg.

x64Dbg plugin that enables C# plugins with hot-loading support and scripting.

Windows-only Remote Access Tool (RAT) with anti-debugging and anti-sandbox checks

With xshellex you can paste any kind of c-shellcode strings in x64dbg, ollydbg & immunity debugger

DotX64Dbg aims to provide a seamless way to write and test plugins for X64Dbg using .Net 5.0 and C#.

Debug heap useful for tracking down memory errors.

HyperDbg debugger is an open-source, hypervisor-assisted user-mode, and kernel-mode Windows debugger 🐞

Clang plugin to find method or property directable.

An efficient OpenFST-based tool for calculating WER and aligning two transcript sequences.

heaptrace is a ptrace-based debugger for tracking glibc heap operations in ELF64 (x86_64) binaries

A tool to automatically benchmark the most performant core based on X% lows/percentile fps in lava-lamp.

Class containing Anti-RE, Anti-Debug and Anti-Hook methods. Made for C++/CLI

Anti-Debug and Anti-Memory Dump for Android

ScyllaHide for IDA7.5; ScyllaHide IDA7.5; It is a really niccccccce anti-anti-debug tool

Leo Hypervisor. Type 1 hypervisor on Raspberry Pi 4 machine.

x64dbg plugin for simple spoofing of CPUID instruction behavior

A plugin for x64dbg.

x64Dbg plugin that enables C# plugins with hot-loading support and scripting.