Hypervisor based anti anti debug plugin for x64dbg

Related tags

Debug HyperHide
Overview

HyperHide

Table of Contents

Description

HyperHide is open-source hypervisor based Anti-Anti-Debug plugin for x64dbg/x32dbg. HyperHide uses Intel ept to hook various syscalls and also other functions which can be used to spot the presence of debugger.

Compilation

In order to compile project you need WDK and Visual Studio 2019

Support

HyperHide supports all Windows versions from Windows 7 up to the newest version (x64 only), and works only on intel processors with VT-x and EPT support.

Usage Information

Download pre compiled binaries or compile source code yourself.

Turn on test signing mode by running below command in cmd with administrator rights (after turning on restart system)

bcdedit /set testsigning on

Put HyperHideDrv.sys and airhv.sys to C:\Windows\System32\drivers then open Scripts folder in repository and execute create.bat with administrator rights. In order to turn on both drivers execute on.bat with administrator rights. If you want to turn off both airhv and HyperHideDrv execute off.bat with administrator rights (remember to turn off all x64dbg/x32dbg instances before turning off drivers).

32-bit: Copy HyperHide.ini and HyperHide.dp32 to your \x32\plugins\ directory.

64-bit: Copy HyperHide.ini and HyperHide.dp64 to your \x64\plugins\ directory.

To check if HyperHide is working correctly, use DebugView.

Examples

Output from al-khaser 64 bit:

al-khaser 64 bit:

Output from al-khaser 32 bit:

al-khaser 32 bit:

Features

1. Process Environment Block (PEB)

The most important anti-anti-debug option. Almost every protector checks for PEB values.

First and the most important one is BeingDebugged field in PEB. This field is set when you start process with debugger and indicates its presence.

Second is NtGlobalFlag field. It is set to 0 by deafult but when process is started by debugger the following flags are set

  • FLG_HEAP_ENABLE_TAIL_CHECK (0x10)
  • FLG_HEAP_ENABLE_FREE_CHECK (0x20)
  • FLG_HEAP_VALIDATE_PARAMETERS (0x40)

When Clear Peb BeingDebugged checkbox is set in plugin options then everytime you start debugging HyperHideDrv will clear BeingDebugged.

When Clear Peb NtGlobalFlag checkbox is set in plugin options then everytime you start debugging HyperHidDrv will clear NtGlobalFlag (Do not use if you are attaching to existing process).

2. Heap Flags

Heap contains two flags which are affected by debugger.

First is Flags field in heap which by default is set to HEAP_GROWABLE when process is started by debugger Flags is set to combination of these flags:

x86:

  • HEAP_GROWABLE (2)
  • HEAP_TAIL_CHECKING_ENABLED (0x20)
  • HEAP_FREE_CHECKING_ENABLED (0x40)
  • HEAP_SKIP_VALIDATION_CHECKS (0x10000000)
  • HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

x64:

  • HEAP_GROWABLE (2)
  • HEAP_TAIL_CHECKING_ENABLED (0x20)
  • HEAP_FREE_CHECKING_ENABLED (0x40)
  • HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

Second one is ForceFlags which by default is set to 0 When process is started by debugger, ForceFlags is set to combination of these flags:

  • HEAP_TAIL_CHECKING_ENABLED (0x20)
  • HEAP_FREE_CHECKING_ENABLED (0x40)
  • HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

When Clear Heap Flags checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear set Flags and ForceFlags to their default value (Do Not use if you are attaching to existing process).

3. Process Flags

Windows uses various process flags which can be used to detect debugger or to make the debugging harder.

  • First flag is BreakOnTermination. When set process termination leads to bsod

When Clear ProcessBreakOnTermination checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process EPROCESS struct and save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

  • Second flag is ProcessHandleTracing. It indicates if process handle tracing is enable or not.

When Save ProcessHandleTracing checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

  • Third flag is ProcessDebugFlags

When Save ProcessHandleTracing checkbox is set in plugin options then everytime you start debugging HyperHideDrv will save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

4. Thread Flags

Windows uses various thread flags which can be used to detect debugger or to make the debugging harder.

  • First flag is ThreadHideFromDebugger. When set debugger loses control under thread.

When Clear ThreadHideFromDebugger Flag checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process thread ETHREAD struct and save information if it was set or not for further use in NtQueryInformationThread (Do Not use if you are starting process with debugger).

  • Second flag is BreakOnTermination. When set thread termination leads to bsod.

When Clear ThreadBreakOnTermination checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process thread ETHREAD struct and save information if it was set or not for further use in NtQueryInformationThread (Do Not use if you are starting process with debugger).

  • Third flag is BypassProcessFreeze. When set calling NtSuspendProcess will ignore all threads which have this flag set (Flag exist on Windows version 19h1 up to the newest).

When Clear BypassProcessFreeze Flag checkbox is set in plugin options then everytime you start debugging HyperHideDrv will clear this field in debugged process thread KTHREAD struct (Do Not use if you are starting process with debugger).

5. KUserSharedData

KUserShared data is global shared page between all usermode processes located always in same exact address (0x7FFE0000). KUserShared has a lot of counters which can be used to perform time attacks.

When KUserSharedData checkbox is set in plugin options then everytime you start debugging HyperHideDrv will swap pfn of process kusd with fake one. Everytime when process is paused HyperHideDrv will stop updating counters. And after resuming counter would have values derrived from kernel version of KUserShared located always in same exact addres (0xFFFFF78000000000) minus the time when they were paused.

When Clear KUserSharedData checkbox is set in plugin options then HyperHideDrv will clear KdDebuggerEnabled field (works only if usermode kusershareddata page is replaced with fake one)

6. KiExceptionDisptach

KiExceptionDisptach is kernelmode function responsible for handling exceptions. HyperHideDrv hook it to clear debug registers or to send fake debug context if it was previously set with NtSetContextThread\NtSetInformationThread\NtContinue.

When KiExceptionDisptach checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function

7. NtQueryInformationProcess

NtQueryInformationProcess can be called with various PROCESSINFOCLASS values to detect debugger, for example:

  • ProcessDebugPort is used to retrive port number of the debugger for the process. If process is debuged this function writes -1 (0xFFFFFFFFFFFFFFFF) to buffer passed in ProcessInformation. Otherwise it writes 0 (HyperHideDrv always return 0).

  • ProcessDebugObjectHandle is used to query debug object handle if there is no attached debugger function write 0 to passed buffer and return status STATUS_PORT_NOT_SET (0xC0000353). HyperHideDrv will always return STATUS_PORT_NOT_SET

  • ProcessDebugFlags is used to query process flag NoDebugInherit. If debugger is attached function returns 0 otherway it returns 1. HyperHideDrv will return value previosly saved from NtSetInformationProcess or value which was saved while attaching.

  • ProcessBreakOnTermination is used to retrive information if process has BreakOnTermination flag set or not. HyperHideDrv will return value previously saved from NtSetInformationProcess or value which was cleared while attaching.

  • ProcessBasicInformation is used to retrive information of process parent id. HyperHide will return explorer.exe pid.

  • ProcessIoCounters is used to retrive informaton about io counters. HyperHideDrv will write 1 to OtherOperationCount field in IO_COUNTERS.

  • ProcessHandleTracing is used to retrive information if process handle tracing is enabled. HyperHideDrv will return value previously saved from NtSetInformationProcess or value which was saved while attaching.

When NtQueryInformationProcess checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above cases.

8. NtQueryInformationThread

NtQueryInformationThread can be called with various THREADINFOCLASS values to detect debugger for example:

  • ThreadHideFromDebugger is used to check if thread which handle to was passed in ThreadHandle function parameter has HideFromDebugger flag set or not. HyperHideDrv will return to 0 or 1 depends if process previously attempted to hide thread via NtSetInformationThread or if thread was hidden while attaching to process.

  • ThreadBreakOnTermination is used to retrive information if thread has BreakOnTermination flag set or not. HyperHideDrv will return value previously saved from NtSetInformationThread or value which was cleared while attaching.

  • ThreadWow64Context is used to retrive WOW64 context. Can be used only on thread which belongs to WOW64 process. HyperHideDrv will return zeroed or fake debug registers which was previously set in NtSetInformationThread with flag ThreadWow64Context.

When NtQueryInformationThread checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above cases.

9. NtQueryInformationJobObject

NtQueryInformationJobObject called with JOBOBJECTINFOCLASS JobObjectBasicProcessIdList can be used to list ids of all processes assiociated with the job and its child jobs. One of them can be a debugger, for example x64dbg/x32dbg. HyperHideDrv will check all pids and clear it if it is same as debugger pid.

When NtQueryInformationJobObject checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above case.

10. NtQueryObject

NtQueryObject called with OBJECT_INFORMATION_CLASS ObjectTypeInformation or ObjectTypesInformation can be used to get number of existing DebugObject handles. Since debuggers create such handle when they are debugging HyperHideDrv will return decremented number of DebugObject handles one per each active debugger.

When NtQueryObject checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handle above cases.

11. NtQuerySystemInformation

NtQuerySystemInformation called with OBJECT_INFORMATION_CLASS:

  • SystemKernelDebuggerInformation, SystemKernelDebuggerFlags and SystemKernelDebuggerInformationEx can be used to check if there is active kernel debugger . HyperHideDrv will always return that there are not any active kernel debuggers.

    • SystemProcessInformation, SystemSessionProcessInformation, SystemExtendedProcessInformation and SystemFullProcessInformation can be used to list all existing processes all their threads and their parent process id. HyperHideDrv will filter all forbidden processes like x64dbg/x32dbg, procmon, procexp and also will set explorer.exe as parent process pid.
  • SystemCodeIntegrityInformation is used to check if code integrity options is enabled. If it is not then you can load unsigned driver like for example HyperHideDrv. HyperHideDrv will always return that code integrity is enabled.

  • SystemExtendedHandleInformation and SystemHandleInformation is used to list all existing handles and process id which they belongs to. HyperHideDrv will filter all handles which belong to forbidden processes like x64dbg/x32dbg, procmon, procexp.

When NtQuerySystemInformation checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above cases.

12. NtQuerySystemTime

NtQuerySystemTime can be used to query system time. HyperHideDrv will take SystemTime value from hooked KUserSharedData if there is one, otherway it will call original NtQuerySystemTime save it value and eveytime later it will increment this saved value and return it.

When NtQuerySystemTime checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

13. NtQueryPerformanceCounter

Same as in NtQuerySystemTime

When NtQueryPerformanceCounter checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

14. NtSetInformationThread

NtSetInformationThread can be called with various THREADINFOCLASS values to detect debugger for example:

  • ThreadHideFromDebugger is used to hide process from debugger. HyperHideDrv will ignore that request and save information that this thread was requested to be hidden and will use that information later in NtQueryInformationThread.

  • ThreadWow64Context is used to set WOW64 thread context. Can be used only on thread which belongs to WOW64 process. HyperHideDrv will ignore that request and save debug registers passed in context and use later in NtQueryInformationThread.

  • ThreadBreakOnTermination is used to set thread BreakOnTermination flag. When thread with this flag set is terminated bsod is throwed. HyperHideDrv ignore that request and save that information for later use in NtQueryInformationThread.

When NtSetInformationThread checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande above cases.

15. NtSetInformationProcess

NtQueryInformationProcess can be called with various PROCESSINFOCLASS values to detect debugger for example:

  • ProcessDebugFlags is used to set process flag NoDebugInherit. HyperHideDrv will save that information for later use in NtQueryInformationProcess.

  • ProcessBreakOnTermination is used to set BreakOnTermination flag. When process with this flag set is terminated bsod is throwed. HyperHideDrv will ignore that request and save that information for later use in NtQueryInformationProcess.

  • ProcessHandleTracing is used to enable process handle tracing. HyperHideDrv will save that information for later use in NtQueryInformationProcess.

When NtSetInformationProcess checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande above cases.

16. NtSystemDebugControl

NtSystemDebugControl should return always STATUS_DEBUGGER_INACTIVE if there is no active debugger or in case when Command is set to SysDbgGetTriageDump return should be STATUS_INFO_LENGTH_MISMATCH

When NtSystemDebugControl checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

17. NtClose

NtClose is used to close a handle. If there is a active debugger attempting to close invalid handle or protected one, the function throws an exception. HyperHideDrv check if such conditions are met and return without exception being throwed.

When NtClose checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

18. NtSetContextThread

NtSetContextThread can be used to clear/set dr registers which are used for hardware breakpoints. HyperHideDrv will clear flag in ContextFlags so it won't change dr register. It will also save dr values from passed context for later use in NtGetContextThread\KiExceptionDispatch.

When NtSetContextThread checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

19. NtGetContextThread

NtGetContextThread can be used to retrive context with dr registers which are used for hardware breakpoints. HyperHideDrv will set these dr registers in context to this previously saved in NtSetContextThread and if there aren't any it will be zeroed.

When NtGetContextThread checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

20. NtCreateThreadEx

NtCreateThreadEx is used to create a thread. It is possible to pass thread flags to function for example HideFromDebugger or FreezeBypassProcessFreeze. HyperHideDrv will create thread and ignore these flags at the same time will save information about them for further use in NtQueryInformationThread.

When NtCreateThreadEx checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

21. NtCreateProcessEx

Similar to NtCreateUserProcess but NtCreateProcessEx is deprecated and not used in new windows versions.

When NtCreateProcessEx checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

22. NtCreateUserProcess

NtCreateUserProcess is used to create process. HyperHideDrv will hide newly created process until debugger or new process exit.

When NtCreateUserProcess checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

23. NtCreateFile

NtCreateFile can be used to create a handle to a driver. HyperHideDrv will check if debugged process want to create handle to one of forbidden driver.

When NtCreateFile checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

24. NtYieldExecution

This method is not really reliable because it only shows if there a high priority thread in the current process. HyperHideDrv will always return STATUS_SUCCESS.

When NtYieldExecution checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

25. NtOpenProcess

NtOpenProcess can be used to enumerate all existing process since every process has it own pid. HyperHideDrv will check if pid belongs to any forbidden process like x64dbg/x32dbg, procmon, procexp.

When NtOpenProcess checkbox is set in plugin options then, everytime you start debugging HyperHideDrv will hook this function and hande it.

26. NtOpenThread

Same as NtOpenProcess but instead pid it uses tid (Thread ID)

When NtOpenThread checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

27. NtGetNextProcess

Same as NtOpenProcess but instead pid it uses process handle

When NtGetNextProcess checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

28. NtContinue

Same as NtSetContextThread

When NtContinue checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

29. NtUserFindWindowEx

NtUserFindWindowEx can be used to retrieve a handle to the top-level window whose class name and window name match the specified strings. HyperHideDrv will check if specified names are forbidden.

When NtUserFindWindowEx checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

30. NtUserGetForegroundWindow

NtUserGetForegroundWindow can be used to retrieve a handle to the foreground window. If it is handle to debugger window then HyperHideDrv return NtUserGetThreadState with THREADSTATE_ACTIVEWINDOW.

When NtUserGetForegroundWindow checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

31. NtUserQueryWindow

NtUserQueryWindow can be used to retrieve the identifier of the thread that created the specified window or the identifier of the process that created the window. HyperHideDrv will check if window handle belongs to debugger and return debugged process pid or tid.

When NtUserQueryWindow checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

32. NtUserBuildHwndList

NtUserBuildHwndList can be used to list all windows. HyperHideDrv will find every handle to forbidden window and clear information about it.

When NtUserBuildHwndList checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

Remarks

Never run this driver on production system. Use virtual machine instead

License

HyperHide is under the GNU General Public License v3.

Special thanks to

ScyllaHide developers

al-khaser by Noteworthy

Check Point for Anti-Debug Tricks

Peter Ferrie for his Anti-Debug pdf

Comments
  •  BOSD  hv::vmread(GUEST_LDTR_SELECTOR);

    BOSD hv::vmread(GUEST_LDTR_SELECTOR);

    
    Microsoft (R) Windows Debugger Version 10.0.22000.1 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Windows\MEMORY.DMP]
    Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
    
    Symbol search path is: srv*
    Executable search path is: 
    Windows 10 Kernel Version 19041 MP (6 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
    Machine Name:
    Kernel base = 0xfffff806`72800000 PsLoadedModuleList = 0xfffff806`7342a190
    Debug session time: Fri Aug 27 16:09:05.529 2021 (UTC + 8:00)
    System Uptime: 0 days 0:05:00.392
    Loading Kernel Symbols
    ...............................................................
    .........Page 403808 not present in the dump file. Type ".hh dbgerr004" for details
    .......................................................
    ................................................................
    ............
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 00000000`01291018).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    .........
    For analysis of this file, run !analyze -v
    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 00000000014ffd0a, memory referenced
    Arg2: 00000000000000ff, IRQL
    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg4: fffff8067d13d64c, address which referenced memory
    
    Debugging Details:
    ------------------
    
    Unable to load image \??\D:\Debugger\xgDebuger\airhv.sys, Win32 error 0n2
    
    KEY_VALUES_STRING: 1
    
        Key  : Analysis.CPU.mSec
        Value: 2187
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 9408
    
        Key  : Analysis.Init.CPU.mSec
        Value: 2312
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 15751
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 105
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
    
    BUGCHECK_CODE:  d1
    
    BUGCHECK_P1: 14ffd0a
    
    BUGCHECK_P2: ff
    
    BUGCHECK_P3: 0
    
    BUGCHECK_P4: fffff8067d13d64c
    
    READ_ADDRESS:  00000000014ffd0a 
    
    ADDITIONAL_DEBUG_TEXT:  The trap occurred when interrupts are disabled on the target.
    
    BLACKBOXBSD: 1 (!blackboxbsd)
    
    
    BLACKBOXNTFS: 1 (!blackboxntfs)
    
    
    BLACKBOXPNP: 1 (!blackboxpnp)
    
    
    BLACKBOXWINLOGON: 1
    
    PROCESS_NAME:  xcoronahost.xem
    
    TRAP_FRAME:  ffffe30835072cc0 -- (.trap 0xffffe30835072cc0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=00000000014ffd0a
    rdx=0000000000005658 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff8067d13d64c rsp=ffffe30835072e50 rbp=00000000f344c014
     r8=0000000000e8b86f  r9=0000000000000000 r10=0000000000000000
    r11=000000000111e250 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up di ng nz na po nc
    airhv!vmexit_ldtr_access_handler+0xbc:
    fffff806`7d13d64c 488901          mov     qword ptr [rcx],rax ds:00000000`014ffd0a=????????????????
    Resetting default scope
    
    BAD_STACK_POINTER:  ffffe30835072b78
    
    STACK_TEXT:  
    ffffe308`35072b78 fffff806`72c09169     : 00000000`0000000a 00000000`014ffd0a 00000000`000000ff 00000000`00000000 : nt!KeBugCheckEx
    ffffe308`35072b80 fffff806`72c05469     : 1336d8ff`fff8067d ae6000ff`fff8067d 000040ff`fff80672 ae584a00`00000000 : nt!KiBugCheckDispatch+0x69
    ffffe308`35072cc0 fffff806`7d13d64c     : 00000000`0000080c fffff806`7d13ce77 ffffe308`35072ff8 fffff806`7d13d331 : nt!KiPageFault+0x469
    ffffe308`35072e50 fffff806`7d13dac8     : ffffe308`28913a70 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_ldtr_access_handler+0xbc [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 228] 
    ffffe308`35072ec0 fffff806`7d13139c     : ffffe308`35072f20 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_handler+0xe8 [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 1439] 
    ffffe308`35072f00 ffffe308`35072f20     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmm_entrypoint+0x4c [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\asm\vm_context.asm @ 60] 
    ffffe308`35072f08 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffffe308`35072f20
    
    
    FAULTING_SOURCE_LINE:  D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp
    
    FAULTING_SOURCE_FILE:  D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp
    
    FAULTING_SOURCE_LINE_NUMBER:  228
    
    FAULTING_SOURCE_CODE:  
       224: 	{
       225: 		// SLDT
       226: 		case 0:
       227: 		{
    >  228: 			*linear_address = hv::vmread(GUEST_LDTR_SELECTOR);
       229: 
       230: 			break;
       231: 		}
       232: 
       233: 		// STR
    
    
    SYMBOL_NAME:  airhv!vmexit_ldtr_access_handler+bc
    
    MODULE_NAME: airhv
    
    IMAGE_NAME:  airhv.sys
    
    STACK_COMMAND:  .thread ; .cxr ; kb
    
    BUCKET_ID_FUNC_OFFSET:  bc
    
    FAILURE_BUCKET_ID:  DISABLED_INTERRUPT_FAULT_STACKPTR_ERROR_airhv!vmexit_ldtr_access_handler
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    FAILURE_ID_HASH:  {d9cba956-7904-06a1-f790-6a47973b5789}
    
    Followup:     MachineOwner
    ---------
    
    
    }...
    opened by gamegrd 5
  • [SC] StartService FAILED 31: a device attached to the system is not functioning

    [SC] StartService FAILED 31: a device attached to the system is not functioning

    917

    DebugView seems to have shown nothing interesting? i'm sure that i did anything on README. Airhv is fine, but hyperhidedrv can't start. (windows 11 and patchguard is disabled)

    opened by virginity-is-cool 3
  • HookedNtYieldExecution return value error

    HookedNtYieldExecution return value error

    if(Hider::IsHidden(IoGetCurrentProcess(), HIDE_NT_YIELD_EXECUTION) == TRUE) { OriginalNtYieldExecution(); return STATUS_SUCCESS; //return here STATUS_NO_YIELD_PERFORMED }

    opened by taodaqiao 1
  • Fucking BSOD

    Fucking BSOD

    Hi,i try use this plugin for bypass antidebug themida (last vershion). If i start on.bat,then i get BSOD. I am just starting to learn in drivers so I can't fix it. Code mistake:WHEA UNCORRECTABLE ERROR Dump: https://drive.google.com/file/d/1ZZdgCOR3n5V5I8wAcOmC2cUh_cXDttD_/view?usp=sharing

    Also i recomended add hook NtQueryLicenseValue.It's can call from ring3 for check test mode(CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners). You can see mode informathion hear: https://github.com/HyperSine/Windows10-CustomKernelSigners

    opened by Ahora57 1
  • AMD CPU failed to turn on the driver

    AMD CPU failed to turn on the driver

    My CPU is AMD 1950x and CPU virtualization is enabled, but the driver is always in the state of loading failure.

    I System Ver: Microsoft Windows [Version 10.0.19043.1110]

    I started the test mode of windows 10 with the following command to allow unsigned driver loading options.

    The driver could not be loaded

    bcdedit.exe /set nointegritychecks on 
    bcdedit.exe /set loadoptions DDISABLE_INTEGRITY_CHECKS
    bcdedit.exe /set testsigning on
    

    error: C:\Windows\system32>sc start airhv [SC] StartService fail 2: C:\Windows\system32>sc start HyperHideDrv [SC] StartService fail 31:

    20210731001035

    opened by bitxx 1
  • DRIVER_IRQL_NOT_LESS_OR_EQUAL on WIN7X64 with HyperHide_2021-07-19

    DRIVER_IRQL_NOT_LESS_OR_EQUAL on WIN7X64 with HyperHide_2021-07-19

    Loading Dump File [C:\Windows\Minidump\072121-11247-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv* Executable search path is: Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.24384.amd64fre.win7sp1_ldr_escrow.190220-1800 Machine Name: Kernel base = 0xfffff80005251000 PsLoadedModuleList = 0xfffff8000548ac90 Debug session time: Wed Jul 21 13:33:27.203 2021 (UTC + 8:00) System Uptime: 0 days 0:01:57.592 Loading Kernel Symbols

    1: kd> !analyze -v


    •                                                                         *
      
    •                    Bugcheck Analysis                                    *
      
    •                                                                         *
      

    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: fffff88003b80000, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, value 0 = read operation, 1 = write operation Arg4: fffff8800307ab03, address which referenced memory

    Debugging Details:

    *** WARNING: Unable to verify timestamp for airhv.sys fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock GetUlongPtrFromAddress: unable to read from fffff800054ee300

    KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 3
    
    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on WIN-3TVJD1ASNOS
    
    Key  : Analysis.DebugData
    Value: CreateObject
    
    Key  : Analysis.DebugModel
    Value: CreateObject
    
    Key  : Analysis.Elapsed.Sec
    Value: 11
    
    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 68
    
    Key  : Analysis.System
    Value: CreateObject
    

    VIRTUAL_MACHINE: VMware

    BUGCHECK_CODE: d1

    BUGCHECK_P1: fffff88003b80000

    BUGCHECK_P2: 2

    BUGCHECK_P3: 0

    BUGCHECK_P4: fffff8800307ab03

    READ_ADDRESS: fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock Unable to get MmSystemRangeStart GetUlongPtrFromAddress: unable to read from fffff800054ee2f0 GetUlongPtrFromAddress: unable to read from fffff800054ee4a8 fffff88003b80000

    CUSTOMER_CRASH_COUNT: 1

    PROCESS_NAME: vmtoolsd.exe

    TRAP_FRAME: fffffa8031432cd0 -- (.trap 0xfffffa8031432cd0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=000000000000f5d8 rdx=000000000000fed0 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8800307ab03 rsp=fffffa8031432e60 rbp=fffffa8031bff810 r8=000000000000fec0 r9=0000000000000020 r10=0000000000000718 r11=fffffa8031432e68 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up di pl nz na pe nc airhv+0x9b03: fffff880`0307ab03 f36e rep outs dx,byte ptr [rsi] Resetting default scope

    BAD_STACK_POINTER: fffffa8031432b88

    STACK_TEXT:
    fffffa8031432b88 fffff800052f2f69 : 000000000000000a fffff88003b80000 0000000000000002 0000000000000000 : nt!KeBugCheckEx fffffa8031432b90 fffff800052f0d88 : 0000000000000000 fffff88003b80000 0000000000000000 fffff88003b7f718 : nt!KiBugCheckDispatch+0x69 fffffa8031432cd0 fffff8800307ab03 : fffff80005264d0f fffff88000000001 000000007ff4c718 0000000000000000 : nt!KiPageFault+0x448 fffffa8031432e60 fffff80005264d0f : fffff88000000001 000000007ff4c718 0000000000000000 fffff8a001937ce0 : airhv+0x9b03 fffffa8031432e68 fffff88000000001 : 000000007ff4c718 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 : nt!MmCreateMdl+0xb7 fffffa8031432e70 000000007ff4c718 : 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 : 0xfffff88000000001 fffffa8031432e78 0000000000000000 : fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 fffff880`0307a15d : 0x7ff4c718

    SYMBOL_NAME: airhv+9b03

    MODULE_NAME: airhv

    IMAGE_NAME: airhv.sys

    STACK_COMMAND: .thread ; .cxr ; kb

    FAILURE_BUCKET_ID: X64_0xD1_STACKPTR_ERROR_airhv+9b03

    OS_VERSION: 7.1.7601.24384

    BUILDLAB_STR: win7sp1_ldr_escrow

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 7

    FAILURE_ID_HASH: {7ac92028-be9a-ed12-5957-bd8308811d0f}

    Followup: MachineOwner

    opened by jianxq 1
  • Crash with HyperHide_2021-06-13

    Crash with HyperHide_2021-06-13

    Loading Dump File [C:\Windows\Minidump\062621-23977-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv* Executable search path is: Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.24441.amd64fre.win7sp1_ldr.190418-1735 Machine Name: Kernel base = 0xfffff80006808000 PsLoadedModuleList = 0xfffff80006a41c90 Debug session time: Sat Jun 26 23:37:11.662 2021 (UTC + 8:00) System Uptime: 0 days 1:21:39.427 Loading Kernel Symbols ............................................................... ................................................................ .................................................. Loading User Symbols Loading unloaded module list .......... For analysis of this file, run !analyze -v 3: kd> !analyze -v


    •                                                                         *
      
    •                    Bugcheck Analysis                                    *
      
    •                                                                         *
      

    CRITICAL_STRUCTURE_CORRUPTION (109) This bugcheck is generated when the kernel detects that critical kernel code or data have been corrupted. There are generally three causes for a corruption:

    1. A driver has inadvertently or deliberately modified critical kernel code or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
    2. A developer attempted to set a normal kernel breakpoint using a kernel debugger that was not attached when the system was booted. Normal breakpoints, "bp", can only be set if the debugger is attached at boot time. Hardware breakpoints, "ba", can be set at any time.
    3. A hardware corruption occurred, e.g. failing RAM holding kernel code or data. Arguments: Arg1: a3a039d8a7a328fd, Reserved Arg2: b3b7465efa213a23, Reserved Arg3: 00000000c0000080, Failure type dependent information Arg4: 0000000000000007, Type of corrupted region, can be 0 : A generic data region 1 : Modification of a function or .pdata 2 : A processor IDT 3 : A processor GDT 4 : Type 1 process list corruption 5 : Type 2 process list corruption 6 : Debug routine modification 7 : Critical MSR modification 8 : Object type 9 : A processor IVT a : Modification of a system service function b : A generic session data region c : Modification of a session function or .pdata d : Modification of an import table e : Modification of a session import table f : Ps Win32 callout modification 10 : Debug switch routine modification 11 : IRP allocator modification 12 : Driver call dispatcher modification 13 : IRP completion dispatcher modification 14 : IRP deallocator modification 15 : A processor control register 16 : Critical floating point control register modification 17 : Local APIC modification 18 : Kernel notification callout modification 19 : Loaded module list modification 1a : Type 3 process list corruption 1b : Type 4 process list corruption 1c : Driver object corruption 1d : Executive callback object modification 1e : Modification of module padding 1f : Modification of a protected process 20 : A generic data region 21 : A page hash mismatch 22 : A session page hash mismatch 23 : Load config directory modification 24 : Inverted function table modification 25 : Session configuration modification 26 : An extended processor control register 27 : Type 1 pool corruption 28 : Type 2 pool corruption 29 : Type 3 pool corruption 2a : Type 4 pool corruption 2b : Modification of a function or .pdata 2c : Image integrity corruption 2d : Processor misconfiguration 2e : Type 5 process list corruption 2f : Process shadow corruption 30 : Retpoline code page corruption 101 : General pool corruption 102 : Modification of win32k.sys

    Debugging Details:

    fffff800069ea0e8: Unable to get Flags value from nt!KdVersionBlock GetUlongPtrFromAddress: unable to read from fffff80006aa5300

    KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 1
    
    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on XU-PC
    
    Key  : Analysis.DebugData
    Value: CreateObject
    
    Key  : Analysis.DebugModel
    Value: CreateObject
    
    Key  : Analysis.Elapsed.Sec
    Value: 1
    
    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 66
    
    Key  : Analysis.System
    Value: CreateObject
    

    BUGCHECK_CODE: 109

    BUGCHECK_P1: a3a039d8a7a328fd

    BUGCHECK_P2: b3b7465efa213a23

    BUGCHECK_P3: c0000080

    BUGCHECK_P4: 7

    CUSTOMER_CRASH_COUNT: 1

    PROCESS_NAME: System

    STACK_TEXT:
    fffff88004d08498 0000000000000000 : 0000000000000109 a3a039d8a7a328fd b3b7465efa213a23 00000000c0000080 : nt!KeBugCheckEx

    SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

    MODULE_NAME: Unknown_Module

    IMAGE_NAME: Unknown_Image

    STACK_COMMAND: .thread ; .cxr ; kb

    FAILURE_BUCKET_ID: BAD_STACK_0x109

    OS_VERSION: 7.1.7601.24441

    BUILDLAB_STR: win7sp1_ldr

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 7

    FAILURE_ID_HASH: {b4d7023a-05c3-49b2-3ea4-6240fe57d90e}

    Followup: MachineOwner

    opened by TinyOra 1
  • Compile failed (win7 x64 6.1.7601.24441)

    Compile failed (win7 x64 6.1.7601.24441)

    When i try to compile the latest code, i got a lot of errors, can someone tell me how to fix? thanks for a lot.

    捕获

    Details: Windows 7 x64 sp1 ( 6.1.7601.24441) Microsoft Visual Studio Enterprise 2019 version 16.10.2 WDK 10.0.19030.1000

    opened by TinyOra 1
  • Crash when selecting KUserSharedData or Clear KUserSharedData

    Crash when selecting KUserSharedData or Clear KUserSharedData

    Loading Dump File [F:\061221-52203-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available

    ************* Path validation summary ************** Response Time (ms) Location Deferred srv* Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 18362 MP (16 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 18362.1.amd64fre.19h1_release.190318-1202 Machine Name: Kernel base = 0xfffff8056cc00000 PsLoadedModuleList = 0xfffff8056d0432b0 Debug session time: Sat Jun 12 13:51:05.767 2021 (UTC + 11:00) System Uptime: 0 days 16:38:38.687 Loading Kernel Symbols ............................................................... ................................................................ ................................... Loading User Symbols Loading unloaded module list .................................................. For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff8056cdbc8a0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa2824a02f2d0=0000000000000050 4: kd> !analyze -v


    •                                                                         *
      
    •                    Bugcheck Analysis                                    *
      
    •                                                                         *
      

    PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffba8c0b649900, memory referenced. Arg2: 0000000000000011, value 0 = read operation, 1 = write operation. Arg3: ffffba8c0b649900, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000002, (reserved)

    Debugging Details:

    *** WARNING: Unable to verify timestamp for HyperHideDrv.sys

    Could not read faulting driver name

    KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 8
    
    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on E5_1
    
    Key  : Analysis.DebugData
    Value: CreateObject
    
    Key  : Analysis.DebugModel
    Value: CreateObject
    
    Key  : Analysis.Elapsed.Sec
    Value: 34
    
    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 70
    
    Key  : Analysis.System
    Value: CreateObject
    

    BUGCHECK_CODE: 50

    BUGCHECK_P1: ffffba8c0b649900

    BUGCHECK_P2: 11

    BUGCHECK_P3: ffffba8c0b649900

    BUGCHECK_P4: 2

    WRITE_ADDRESS: fffff8056d16e3b0: Unable to get MiVisibleState Unable to get NonPagedPoolStart Unable to get NonPagedPoolEnd Unable to get PagedPoolStart Unable to get PagedPoolEnd fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock unable to get nt!MmSpecialPagesInUse ffffba8c0b649900

    MM_INTERNAL_CODE: 2

    CUSTOMER_CRASH_COUNT: 1

    PROCESS_NAME: procexp64.exe

    TRAP_FRAME: ffffa2824a02f570 -- (.trap 0xffffa2824a02f570) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000004025 rbx=0000000000000000 rcx=0000000fffffffff rdx=fffffc7e3f1f8000 rsi=0000000000000000 rdi=0000000000000000 rip=ffffba8c0b649900 rsp=ffffa2824a02f708 rbp=fffff805781a9ea0 r8=0000000000000001 r9=0000000000010fd4 r10=fffffffff4a68134 r11=000000000034bdea r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac po nc ffffba8c0b649900 0300 add eax,dword ptr [rax] ds:0000000000004025=???????? Resetting default scope

    STACK_TEXT:
    ffffa2824a02f2c8 fffff8056cddfd54 : 0000000000000050 ffffba8c0b649900 0000000000000011 ffffa2824a02f570 : nt!KeBugCheckEx ffffa2824a02f2d0 fffff8056cc7aaef : 0000000000000000 0000000000000011 0000000000000000 ffffba8c0b649900 : nt!MiSystemFault+0x1d2d64 ffffa2824a02f3d0 fffff8056cdca79a : 0000000000000000 00001f8000000100 0000000000000000 fffff805781a9ebc : nt!MmAccessFault+0x34f ffffa2824a02f570 ffffba8c0b649900 : 9100000004025025 ffff82812e603000 ffffba8c003de870 000000023ff05000 : nt!KiPageFault+0x35a ffffa2824a02f708 9100000004025025 : ffff82812e603000 ffffba8c003de870 000000023ff05000 fffff805781a36c2 : 0xffffba8c0b649900 ffffa2824a02f710 ffff82812e603000 : ffffba8c003de870 000000023ff05000 fffff805781a36c2 0000000000000002 : 0x9100000004025025 ffffa2824a02f718 ffffba8c003de870 : 000000023ff05000 fffff805781a36c2 0000000000000002 000000000034be08 : 0xffff82812e603000 ffffa2824a02f720 000000023ff05000 : fffff805781a36c2 0000000000000002 000000000034be08 fffff8056cc01000 : 0xffffba8c003de870 ffffa2824a02f728 fffff805781a36c2 : 0000000000000002 000000000034be08 fffff8056cc01000 ffffba8c0b649900 : 0x000000023ff05000 ffffa2824a02f730 0000000000000002 : 000000000034be08 fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 : HyperHideDrv+0x36c2 ffffa2824a02f738 000000000034be08 : fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c : 0x2 ffffa2824a02f740 fffff8056cc01000 : ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 : 0x34be08 ffffa2824a02f748 ffffba8c0b649900 : fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 : nt!SeConvertSecurityDescriptorToStringSecurityDescriptor+0xfffffffffffffff0 ffffa2824a02f750 fffff805781ac2b0 : fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 0000000000000000 : 0xffffba8c0b649900 ffffa2824a02f758 fffff8056ccdc92c : ffffba8c08e71eb0 0000000000000002 0000000000000000 0000000000000000 : HyperHideDrv+0xc2b0 ffffa2824a02f760 fffff805781a1e10 : ffffba8c003de870 ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 : nt!KeAcquireGuardedMutex+0x1c ffffa2824a02f790 ffffba8c003de870 : ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 : HyperHideDrv+0x1e10 ffffa2824a02f798 ffffba8c0dc8e380 : ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 0000000000000000 : 0xffffba8c003de870 ffffa2824a02f7a0 ffffba8c08e71eb0 : fffff8056cf503a9 0000000000000000 0000000000000000 0000000000000000 : 0xffffba8c0dc8e380 ffffa2824a02f7a8 fffff8056cf503a9 : 0000000000000000 0000000000000000 0000000000000000 fffff805781a1489 : 0xffffba8c08e71eb0 ffffa2824a02f7b0 fffff8056cc31cc9 : ffffba8c08e71eb0 0000000000000001 0000000000000001 000000000000020c : nt!_guard_retpoline_exit_indirect_rax+0x9 ffffa2824a02f800 fffff8056d1eb6c5 : ffffa2824a02fb80 ffffba8c08e71eb0 0000000000000001 ffffba8c0b70d690 : nt!IofCallDriver+0x59 ffffa2824a02f840 fffff8056d1eb01a : ffffba8c08e71eb0 ffffa2824a02fb80 000000000022240c ffffa2824a02fb80 : nt!IopSynchronousServiceTail+0x1a5 ffffa2824a02f8e0 fffff8056d1eaa36 : ba8c0d9ed5b0ffed 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x5ca ffffa2824a02fa20 fffff8056cdcdf98 : 0000000000000001 ffffa2824a02fb00 0000000000000000 ffffa2824a02fa00 : nt!NtDeviceIoControlFile+0x56 ffffa2824a02fa90 00007ffeb4bdc144 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28 000000c7ab4ff758 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffe`b4bdc144

    SYMBOL_NAME: HyperHideDrv+36c2

    MODULE_NAME: HyperHideDrv

    IMAGE_NAME: HyperHideDrv.sys

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 36c2

    FAILURE_BUCKET_ID: AV_INVALID_HyperHideDrv!unknown_function

    OS_VERSION: 10.0.18362.1

    BUILDLAB_STR: 19h1_release

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    FAILURE_ID_HASH: {d37c959a-417f-c891-0472-d90c19d031fc}

    Followup: MachineOwner

    opened by baby0o01999 1
  • Please also handle NtContinueEx

    Please also handle NtContinueEx

    Hello,

    First of all let me say that you created here a really great peace of software, thank you very much.

    But now to the issue, since windows 10 2004 MSFT added an extended version of the NtContinue sys call called NtContinueEx And I already have seen it being used for example by the Line messager.

    It would be great if you could add handling for the NtContinueEx as well

    Cheers David

    opened by DavidXanatos 1
  • Failed to load plugin in x64dbg

    Failed to load plugin in x64dbg

    When I open x64dbg I get [PLUGIN] Failed to load plugin: HyperHide.dp64 in the logs. I made sure that the airhv and HyperHideDrv drivers were loaded by using driverquery.

    My Installation steps

    1. Copy HyperHideDrv.sys and airhv.sys to C:\Windows\System32\drivers
    2. Disable driver signing
    3. Run create.bat script as administrator
    4. Run on.bat script as administrator
    5. Copy HyperHide.dp64 and HyperHide.ini to x64dbg plugins folder
    6. Run x64dbg

    Computer details

    • Windows 10 19043.928
    • Intel Core i7-4770HQ
    • x64dbg snapshot_2021-05-08_14-17
    opened by dustinlieu 1
  • sign incorrectly

    sign incorrectly

    cmd: C:\WINDOWS\system32>sc start airhv [SC] StartService FAILED 577:

    Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    C:\WINDOWS\system32>sc start HyperHideDrv [SC] StartService FAILED 577:

    Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    C:\WINDOWS\system32>pause Press any key to continue . . .

    opened by reltkaine 1
Releases(HyperHide_2022-08-07)
Owner
Air
Air
A plugin for x64dbg.

x128dbg x128dbg 是一个 x64dbg 的插件,随着时间的推移,它会有越来越多的功能 目前的 x128dbg 的版本为 v1 ,它提供了查看汇编指令手册的功能 查看汇编指令手册 有时,我们在使用 x64dbg 调试时,会碰到不认识的汇编指令(即使开启了 x64dbg 自带的 Ctrl+

古月浪子 21 Sep 22, 2022
x64Dbg plugin that enables C# plugins with hot-loading support and scripting.

DotX64Dbg (EARLY ALPHA) Plugins and Scripting with C# for x64Dbg. Create Plugins for X64Dbg with ease DotX64Dbg aims to provide a seamless way to writ

x64dbg 108 Dec 26, 2022
Windows-only Remote Access Tool (RAT) with anti-debugging and anti-sandbox checks

RATwurst Windows-only Remote Access Tool (RAT) with anti-debugging and anti-sandbox checks. For educational purposes only. The reason behind this proj

AccidentalRebel 35 Dec 5, 2022
With xshellex you can paste any kind of c-shellcode strings in x64dbg, ollydbg & immunity debugger

With xshellex you can paste any kind of c-shellcode strings in x64dbg, ollydbg & immunity debugger. Also you can convert the "binary-copied-clipboard" to c-shellcode string.

David Reguera Garcia aka Dreg 30 Oct 7, 2022
DotX64Dbg aims to provide a seamless way to write and test plugins for X64Dbg using .Net 5.0 and C#.

DotX64Dbg (EARLY ALPHA) Plugins and Scripting with C# for x64Dbg. Create Plugins for X64Dbg with ease DotX64Dbg aims to provide a seamless way to writ

ζeh Matt 7 Oct 16, 2022
Debug heap useful for tracking down memory errors.

ig-debugheap - A debugging heap This is a debug heap useful when trying to track down memory errors (especially on Windows, where there's no Valgrind.

Andreas Fredriksson 168 Dec 3, 2022
HyperDbg debugger is an open-source, hypervisor-assisted user-mode, and kernel-mode Windows debugger 🐞

HyperDbg debugger is an open-source, hypervisor-assisted user-mode, and kernel-mode Windows debugger with a focus on using modern hardware technologies. It is a debugger designed for analyzing, fuzzing and reversing. ??

HyperDbg 2k Dec 30, 2022
Clang plugin to find method or property directable.

ObjCDirectFinder Clang had provided objc_direct attribute for us to write this: @property (nonatomic, assign, direct) BOOL isLaunchFinished; - (BOOL)i

Kam-To 3 Jun 2, 2022
An efficient OpenFST-based tool for calculating WER and aligning two transcript sequences.

fstalign Overview Installation Dependencies Build Docker Quickstart WER Subcommand Align Subcommand Inputs Outputs Overview fstalign is a tool for cre

Rev 108 Dec 12, 2022
heaptrace is a ptrace-based debugger for tracking glibc heap operations in ELF64 (x86_64) binaries

heaptrace is a ptrace-based debugger for tracking glibc heap operations in ELF64 (x86_64) binaries. Its purpose is to help visualize heap operations when debugging binaries or doing heap pwn.

Aaron Esau 252 Dec 21, 2022
A tool to automatically benchmark the most performant core based on X% lows/percentile fps in lava-lamp.

AutoGpuAffinity A tool to automatically benchmark the best physical CPU for the GPU to execute dpcs/isrs on based on 0.1% percentile/lows fps. Tips to

AMIT 0 Jun 12, 2022
Class containing Anti-RE, Anti-Debug and Anti-Hook methods. Made for C++/CLI

Umium Class containing Anti-RE, Anti-Debug and Anti-Hook methods. Easy to use and easy to implement. Disclaimer This code has been made and optimized

null 59 Dec 23, 2022
Anti-Debug and Anti-Memory Dump for Android

AntiDebugandMemoryDump Anti-Debug and Anti-Memory Dump for Android Some known techniques for anti-debug and anti-memory dump have been used in this pr

Darvin 184 Dec 25, 2022
ScyllaHide for IDA7.5; ScyllaHide IDA7.5; It is a really niccccccce anti-anti-debug tool

Hint 支持原项目,谢谢原项目作者,我只是改了改代码,以支持IDA7.5 ( 原本只支持IDA6.8 )。我觉得原作者应该会介意。 有事麻烦联系我删除。sorry Thank you for the original project developer ScyllaHide Thanks、Than

彳 亍 157 Dec 15, 2022
Leo Hypervisor. Type 1 hypervisor on Raspberry Pi 4 machine.

Leo Hypervisor Leo. Type 1 hypervisor on Raspberry Pi 4 machine. Set Up This setup was tested on Debian Install Required Dependencies and Toolchain su

Mushahid Hussain 15 Dec 5, 2022
x64dbg plugin for simple spoofing of CPUID instruction behavior

CPUID Spoofer CpuidSpoofer is a x64dbg plugin which helps you to modify the behaviour of the CPUID instruction. For example, you can easily change the

null 56 Jan 8, 2023
A plugin for x64dbg.

x128dbg x128dbg 是一个 x64dbg 的插件,随着时间的推移,它会有越来越多的功能 目前的 x128dbg 的版本为 v1 ,它提供了查看汇编指令手册的功能 查看汇编指令手册 有时,我们在使用 x64dbg 调试时,会碰到不认识的汇编指令(即使开启了 x64dbg 自带的 Ctrl+

古月浪子 21 Sep 22, 2022
x64Dbg plugin that enables C# plugins with hot-loading support and scripting.

DotX64Dbg (EARLY ALPHA) Plugins and Scripting with C# for x64Dbg. Create Plugins for X64Dbg with ease DotX64Dbg aims to provide a seamless way to writ

x64dbg 108 Dec 26, 2022
Windows-only Remote Access Tool (RAT) with anti-debugging and anti-sandbox checks

RATwurst Windows-only Remote Access Tool (RAT) with anti-debugging and anti-sandbox checks. For educational purposes only. The reason behind this proj

AccidentalRebel 35 Dec 5, 2022
With xshellex you can paste any kind of c-shellcode strings in x64dbg, ollydbg & immunity debugger

With xshellex you can paste any kind of c-shellcode strings in x64dbg, ollydbg & immunity debugger. Also you can convert the "binary-copied-clipboard" to c-shellcode string.

David Reguera Garcia aka Dreg 30 Oct 7, 2022