Little driver for detect UM/KM debugger and Hypervisor

Overview

MAJESTY-technologies

Little driver for protecthion.
The driver is still under development, so you can submit your ideas!
I write it's for manual map driver,because i havn't sertivicate for driver.

Version 1.1

I try do this driver use max DKOM

Anti-UM debug:
1)PEPROCESS -> DebugPort
2)PEPROCESS -> NoDebugInherit
3)PETHREAD -> HideFromDebugger(set manual like:EAC)
4)PEPROCESS -> InheritedFromUniqueProcessId and compare with explorer.exe

Anti-analysis:
1)Check InstrumentationCallback( PEPROCESS -> Pcb -> InstrumentationCallback)
2)Do process proteced

Anti-KM debug:
1)Check offset(like:KdEnteredDebugger)
2)Check KdFuncthion on return STATUS_DEBUGGER_INACTIVE

Anti-Hypervisor:
1)Time attack
2)check anomalies

To-do list:
1)write communicathion(UM <-> KM)
2)Use hash for get address NtApi
3)Check some hook?

Check instrumentation callbacks(under VMware) ->
alt text
Set protect process ->
alt text
Running under HyperHide ->
alt text

Issues
  • Support windows 7 -11

    Support windows 7 -11

    На данный момент offset's для DKOM(7-11) правилные,но некоторые паттерны имеют ошибки. Пример: Windows 8.1

    48 89 5C 24 08 mov [rsp+arg_0], rbx 48 89 74 24 10 mov [rsp+arg_8], rsi 4C 89 74 24 18 mov [rsp+arg_10], r14 41 57 push r15 48 81 EC 10 01 00 00 sub rsp, 110h 4C 8B D2 mov r10, rdx 83 64 24 44 00 and dword ptr [rsp+118h+var_D4], 0 48 83 64 24 48 00 and [rsp+118h+var_D4+4], 0 48 83 64 24 50 00 and [rsp+118h+var_C8], 0 8A 05 FE 92 CA FF mov al, cs:KdpBootedNodebug 84 C0 test al, al 75 14 jnz short loc_1405EE72E

    Windows 10

    48 89 5C 24 08 mov [rsp+arg_0], rbx 56 push rsi 48 81 EC 70 01 00 00 sub rsp, 170h 4C 8B D2 mov r10, rdx 83 64 24 44 00 and dword ptr [rsp+178h+var_134], 0 48 83 64 24 48 00 and [rsp+178h+var_134+4], 0 48 83 64 24 50 00 and [rsp+178h+P], 0 80 3D 88 88 35 00 00 cmp cs:KdpBootedNodebug, 0 75 12 jnz short loc_1408B6B2C

    Паттерн(4C 8B D2 83 64 24 ? ? 48 83) будет найден правильно,но байты 0x80,0x3D не будут найдены.

    opened by Ahora57 2
Owner
Discord:Ahora#4086
null
RV-Debugger-BL702 is an opensource project that implement a JTAG+UART debugger with BL702C-A0.

BL702 is highly integrated BLE and Zigbee combo chipset for IoT applications, contains 32-bit RISC-V CPU with FPU, frequency up to 144MHz, with 132KB RAM and 192 KB ROM, 1Kb eFuse, 512KB embedded Flash, USB2.0 FS device interface, and many other features.

Sipeed 76 Jul 18, 2022
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 118 Jul 26, 2022
Gunyah is a Type-1 hypervisor designed for strong security, performance and modularity.

Gunyah is a Type-1 hypervisor, meaning that it is independent of any high-level OS kernel, and runs in a higher CPU privilege level. It does not depend on any lower-privileged OS kernel/code for its core functionality. This increases its security and can support a much smaller trusted computing base than a Type-2 hypervisor.

Qualcomm Innovation Center 71 Aug 9, 2022
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 123 Jun 30, 2022
USENIX 2021 - Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types

Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types Nyx is fast full-VM snapshot fuzzer for type-2 hypervisors. It's built upon kAFL

Chair for Sys­tems Se­cu­ri­ty 156 Jul 18, 2022
User-mode trap-and-emulate hypervisor for RISC-V

URVirt URVirt is a U-mode trap-and-emulate hypervisor for RISC-V. Related projects RVirt is an S-mode trap-and-emulate hypervisor for RISC-V. It runs

null 11 Mar 17, 2022
This Program Enables And Disables Hyper-V Hypervisor So You Can Use Other Virtualisation Tools Such As (VMware, VirtualBox) Simultaneously.

Hyper-V-Switch This Program Enables And Disables Hyper-V Hypervisor So You Can Use Other Virtualisation Tools Such As (VMware, VirtualBox) Simultaneou

RaynerSec 2 May 27, 2022
type 2 hypervisor written in c++

Hypervisor : RU Краткое описание. Hypervisor - это гипервизор второго типа, который виртуализирует уже запущенную систему. Для запуска данного гиперви

null 7 Jun 10, 2022
A water tank level sensor **Built With WisBlock** to detect overflow and low level conditions.

RAK12014 Laser TOF sensor coming soon WisBlock Watertank Level Sensor Watertank Overflow detection using the RAKwireless WisBlock modules. It implemen

Bernd Giesecke 3 Feb 3, 2022
Research tool able to detect and mitigate evasion techniques used by malware in-the-wild

JuanLesPIN IntelPin tool to detect and mitigate Windows malware evasion techniques. This tool is a prototype developed for a research project whose pa

Lorenzo Maffia 7 May 20, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 68 Jun 22, 2022
Driver leap - Self-sustainable fork of SteamVR driver for Leap Motion controller with updated vendor libraries

Driver Leap Self-sustainable fork of SteamVR driver for Leap Motion controller with updated vendor libraries Installation (for users) Install Ultralea

null 47 Aug 12, 2022
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Deputation 69 Jul 27, 2022
SinMapper - usermode driver mapper that forcefully loads any signed kernel driver

usermode driver mapper that forcefully loads any signed kernel driver (legit cert) with a big enough section (example: .data, .rdata) to map your driver over. the main focus of this project is to prevent modern anti-cheats (BattlEye, EAC) from finding your driver and having the power to hook anything due to being inside of legit memory (signed legit driver).

null 109 Aug 6, 2022
An Xposed module to detect or reject applist requests

Hide My Applist About this module Although "It is incorrect to detect specific app's installation", yet not every app using root provides random packa

null 890 Aug 9, 2022
A Simple tool to execute shellcode with the ability to detect mouse movement

Noobi A Simple tool to execute shellcode with the ability to detect mouse movement Features: Sandbox evasion through detecting mouse movement and chec

null 11 Jul 20, 2022
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

anthemtotheego 119 Jul 29, 2022
rdtsc x86 instruction to detect virtual machines

rdtsc_detector rdtsc x86 instruction to detect virtual machines What is rdtsc? The Time Stamp Counter (TSC) is a 64-bit register present on all x86 pr

null 4 Apr 29, 2022
cpp write language detect model

LanguageDet C++ implementation of the Java language-detection library,and provides Python interface makes it easier to use in Python and is the fastes

hezz 11 Mar 3, 2022