air14 / hyperhide Goto Github PK

View Code? Open in Web Editor NEW

1.1K 33.0 258.0 570 KB

Hypervisor based anti anti debug plugin for x64dbg

License: MIT License

C++ 99.77% Assembly 0.19% Batchfile 0.04%

anti-debug anti-debugging debugging driver hypervisor x64dbg x64dbg-plugin

hyperhide's Introduction

HyperHide

Table of Contents

Description
Compilation
Support
Usage Information
Examples
Features
Remarks
License
Special thanks to

Description

HyperHide is open-source hypervisor based Anti-Anti-Debug plugin for x64dbg/x32dbg. HyperHide uses Intel ept to hook various syscalls and also other functions which can be used to spot the presence of debugger.

Compilation

In order to compile project you need WDK and Visual Studio 2019

Support

HyperHide supports all Windows versions from Windows 7 up to the newest version (x64 only), and works only on intel processors with VT-x and EPT support.

Usage Information

Download pre compiled binaries or compile source code yourself.

Turn on test signing mode by running below command in cmd with administrator rights (after turning on restart system)

bcdedit /set testsigning on

Put HyperHideDrv.sys and airhv.sys to C:\Windows\System32\drivers then open Scripts folder in repository and execute create.bat with administrator rights. In order to turn on both drivers execute on.bat with administrator rights. If you want to turn off both airhv and HyperHideDrv execute off.bat with administrator rights (remember to turn off all x64dbg/x32dbg instances before turning off drivers).

32-bit: Copy HyperHide.ini and HyperHide.dp32 to your \x32\plugins\ directory.

64-bit: Copy HyperHide.ini and HyperHide.dp64 to your \x64\plugins\ directory.

To check if HyperHide is working correctly, use DebugView.

Examples

Output from al-khaser 64 bit:

Output from al-khaser 32 bit:

Features

1. Process Environment Block (PEB)

The most important anti-anti-debug option. Almost every protector checks for PEB values.

First and the most important one is BeingDebugged field in PEB. This field is set when you start process with debugger and indicates its presence.

Second is NtGlobalFlag field. It is set to 0 by deafult but when process is started by debugger the following flags are set

FLG_HEAP_ENABLE_TAIL_CHECK (0x10)
FLG_HEAP_ENABLE_FREE_CHECK (0x20)
FLG_HEAP_VALIDATE_PARAMETERS (0x40)

When Clear Peb BeingDebugged checkbox is set in plugin options then everytime you start debugging HyperHideDrv will clear BeingDebugged.

When Clear Peb NtGlobalFlag checkbox is set in plugin options then everytime you start debugging HyperHidDrv will clear NtGlobalFlag (Do not use if you are attaching to existing process).

2. Heap Flags

Heap contains two flags which are affected by debugger.

First is Flags field in heap which by default is set to HEAP_GROWABLE when process is started by debugger Flags is set to combination of these flags:

x86:

HEAP_GROWABLE (2)
HEAP_TAIL_CHECKING_ENABLED (0x20)
HEAP_FREE_CHECKING_ENABLED (0x40)
HEAP_SKIP_VALIDATION_CHECKS (0x10000000)
HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

x64:

HEAP_GROWABLE (2)
HEAP_TAIL_CHECKING_ENABLED (0x20)
HEAP_FREE_CHECKING_ENABLED (0x40)
HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

Second one is ForceFlags which by default is set to 0 When process is started by debugger, ForceFlags is set to combination of these flags:

HEAP_TAIL_CHECKING_ENABLED (0x20)
HEAP_FREE_CHECKING_ENABLED (0x40)
HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

When Clear Heap Flags checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear set Flags and ForceFlags to their default value (Do Not use if you are attaching to existing process).

3. Process Flags

Windows uses various process flags which can be used to detect debugger or to make the debugging harder.

First flag is BreakOnTermination. When set process termination leads to bsod

When Clear ProcessBreakOnTermination checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process EPROCESS struct and save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

Second flag is ProcessHandleTracing. It indicates if process handle tracing is enable or not.

When Save ProcessHandleTracing checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

Third flag is ProcessDebugFlags

When Save ProcessHandleTracing checkbox is set in plugin options then everytime you start debugging HyperHideDrv will save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

4. Thread Flags

Windows uses various thread flags which can be used to detect debugger or to make the debugging harder.

First flag is ThreadHideFromDebugger. When set debugger loses control under thread.

When Clear ThreadHideFromDebugger Flag checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process thread ETHREAD struct and save information if it was set or not for further use in NtQueryInformationThread (Do Not use if you are starting process with debugger).

Second flag is BreakOnTermination. When set thread termination leads to bsod.

When Clear ThreadBreakOnTermination checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process thread ETHREAD struct and save information if it was set or not for further use in NtQueryInformationThread (Do Not use if you are starting process with debugger).

Third flag is BypassProcessFreeze. When set calling NtSuspendProcess will ignore all threads which have this flag set (Flag exist on Windows version 19h1 up to the newest).

When Clear BypassProcessFreeze Flag checkbox is set in plugin options then everytime you start debugging HyperHideDrv will clear this field in debugged process thread KTHREAD struct (Do Not use if you are starting process with debugger).

5. KUserSharedData

KUserShared data is global shared page between all usermode processes located always in same exact address (0x7FFE0000). KUserShared has a lot of counters which can be used to perform time attacks.

When KUserSharedData checkbox is set in plugin options then everytime you start debugging HyperHideDrv will swap pfn of process kusd with fake one. Everytime when process is paused HyperHideDrv will stop updating counters. And after resuming counter would have values derrived from kernel version of KUserShared located always in same exact addres (0xFFFFF78000000000) minus the time when they were paused.

When Clear KUserSharedData checkbox is set in plugin options then HyperHideDrv will clear KdDebuggerEnabled field (works only if usermode kusershareddata page is replaced with fake one)

6. KiExceptionDisptach

KiExceptionDisptach is kernelmode function responsible for handling exceptions. HyperHideDrv hook it to clear debug registers or to send fake debug context if it was previously set with NtSetContextThread\NtSetInformationThread\NtContinue.

When KiExceptionDisptach checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function

7. NtQueryInformationProcess

NtQueryInformationProcess can be called with various PROCESSINFOCLASS values to detect debugger, for example:

ProcessDebugPort is used to retrive port number of the debugger for the process. If process is debuged this function writes -1 (0xFFFFFFFFFFFFFFFF) to buffer passed in ProcessInformation. Otherwise it writes 0 (HyperHideDrv always return 0).
ProcessDebugObjectHandle is used to query debug object handle if there is no attached debugger function write 0 to passed buffer and return status STATUS_PORT_NOT_SET (0xC0000353). HyperHideDrv will always return STATUS_PORT_NOT_SET
ProcessDebugFlags is used to query process flag NoDebugInherit. If debugger is attached function returns 0 otherway it returns 1. HyperHideDrv will return value previosly saved from NtSetInformationProcess or value which was saved while attaching.
ProcessBreakOnTermination is used to retrive information if process has BreakOnTermination flag set or not. HyperHideDrv will return value previously saved from NtSetInformationProcess or value which was cleared while attaching.
ProcessBasicInformation is used to retrive information of process parent id. HyperHide will return explorer.exe pid.
ProcessIoCounters is used to retrive informaton about io counters. HyperHideDrv will write 1 to OtherOperationCount field in IO_COUNTERS.
ProcessHandleTracing is used to retrive information if process handle tracing is enabled. HyperHideDrv will return value previously saved from NtSetInformationProcess or value which was saved while attaching.

When NtQueryInformationProcess checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above cases.

8. NtQueryInformationThread

NtQueryInformationThread can be called with various THREADINFOCLASS values to detect debugger for example:

ThreadHideFromDebugger is used to check if thread which handle to was passed in ThreadHandle function parameter has HideFromDebugger flag set or not. HyperHideDrv will return to 0 or 1 depends if process previously attempted to hide thread via NtSetInformationThread or if thread was hidden while attaching to process.
ThreadBreakOnTermination is used to retrive information if thread has BreakOnTermination flag set or not. HyperHideDrv will return value previously saved from NtSetInformationThread or value which was cleared while attaching.
ThreadWow64Context is used to retrive WOW64 context. Can be used only on thread which belongs to WOW64 process. HyperHideDrv will return zeroed or fake debug registers which was previously set in NtSetInformationThread with flag ThreadWow64Context.

When NtQueryInformationThread checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above cases.

9. NtQueryInformationJobObject

NtQueryInformationJobObject called with JOBOBJECTINFOCLASS JobObjectBasicProcessIdList can be used to list ids of all processes assiociated with the job and its child jobs. One of them can be a debugger, for example x64dbg/x32dbg. HyperHideDrv will check all pids and clear it if it is same as debugger pid.

When NtQueryInformationJobObject checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above case.

10. NtQueryObject

NtQueryObject called with OBJECT_INFORMATION_CLASS ObjectTypeInformation or ObjectTypesInformation can be used to get number of existing DebugObject handles. Since debuggers create such handle when they are debugging HyperHideDrv will return decremented number of DebugObject handles one per each active debugger.

When NtQueryObject checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handle above cases.

11. NtQuerySystemInformation

NtQuerySystemInformation called with OBJECT_INFORMATION_CLASS:

SystemKernelDebuggerInformation, SystemKernelDebuggerFlags and SystemKernelDebuggerInformationEx can be used to check if there is active kernel debugger . HyperHideDrv will always return that there are not any active kernel debuggers.
- SystemProcessInformation, SystemSessionProcessInformation, SystemExtendedProcessInformation and SystemFullProcessInformation can be used to list all existing processes all their threads and their parent process id. HyperHideDrv will filter all forbidden processes like x64dbg/x32dbg, procmon, procexp and also will set explorer.exe as parent process pid.
SystemCodeIntegrityInformation is used to check if code integrity options is enabled. If it is not then you can load unsigned driver like for example HyperHideDrv. HyperHideDrv will always return that code integrity is enabled.
SystemExtendedHandleInformation and SystemHandleInformation is used to list all existing handles and process id which they belongs to. HyperHideDrv will filter all handles which belong to forbidden processes like x64dbg/x32dbg, procmon, procexp.

When NtQuerySystemInformation checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and handles above cases.

12. NtQuerySystemTime

NtQuerySystemTime can be used to query system time. HyperHideDrv will take SystemTime value from hooked KUserSharedData if there is one, otherway it will call original NtQuerySystemTime save it value and eveytime later it will increment this saved value and return it.

When NtQuerySystemTime checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

13. NtQueryPerformanceCounter

Same as in NtQuerySystemTime

When NtQueryPerformanceCounter checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

14. NtSetInformationThread

NtSetInformationThread can be called with various THREADINFOCLASS values to detect debugger for example:

ThreadHideFromDebugger is used to hide process from debugger. HyperHideDrv will ignore that request and save information that this thread was requested to be hidden and will use that information later in NtQueryInformationThread.
ThreadWow64Context is used to set WOW64 thread context. Can be used only on thread which belongs to WOW64 process. HyperHideDrv will ignore that request and save debug registers passed in context and use later in NtQueryInformationThread.
ThreadBreakOnTermination is used to set thread BreakOnTermination flag. When thread with this flag set is terminated bsod is throwed. HyperHideDrv ignore that request and save that information for later use in NtQueryInformationThread.

When NtSetInformationThread checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande above cases.

15. NtSetInformationProcess

NtQueryInformationProcess can be called with various PROCESSINFOCLASS values to detect debugger for example:

ProcessDebugFlags is used to set process flag NoDebugInherit. HyperHideDrv will save that information for later use in NtQueryInformationProcess.
ProcessBreakOnTermination is used to set BreakOnTermination flag. When process with this flag set is terminated bsod is throwed. HyperHideDrv will ignore that request and save that information for later use in NtQueryInformationProcess.
ProcessHandleTracing is used to enable process handle tracing. HyperHideDrv will save that information for later use in NtQueryInformationProcess.

When NtSetInformationProcess checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande above cases.

16. NtSystemDebugControl

NtSystemDebugControl should return always STATUS_DEBUGGER_INACTIVE if there is no active debugger or in case when Command is set to SysDbgGetTriageDump return should be STATUS_INFO_LENGTH_MISMATCH

When NtSystemDebugControl checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

17. NtClose

NtClose is used to close a handle. If there is a active debugger attempting to close invalid handle or protected one, the function throws an exception. HyperHideDrv check if such conditions are met and return without exception being throwed.

When NtClose checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

18. NtSetContextThread

NtSetContextThread can be used to clear/set dr registers which are used for hardware breakpoints. HyperHideDrv will clear flag in ContextFlags so it won't change dr register. It will also save dr values from passed context for later use in NtGetContextThread\KiExceptionDispatch.

When NtSetContextThread checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

19. NtGetContextThread

NtGetContextThread can be used to retrive context with dr registers which are used for hardware breakpoints. HyperHideDrv will set these dr registers in context to this previously saved in NtSetContextThread and if there aren't any it will be zeroed.

When NtGetContextThread checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

20. NtCreateThreadEx

NtCreateThreadEx is used to create a thread. It is possible to pass thread flags to function for example HideFromDebugger or FreezeBypassProcessFreeze. HyperHideDrv will create thread and ignore these flags at the same time will save information about them for further use in NtQueryInformationThread.

When NtCreateThreadEx checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

21. NtCreateProcessEx

Similar to NtCreateUserProcess but NtCreateProcessEx is deprecated and not used in new windows versions.

When NtCreateProcessEx checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

22. NtCreateUserProcess

NtCreateUserProcess is used to create process. HyperHideDrv will hide newly created process until debugger or new process exit.

When NtCreateUserProcess checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

23. NtCreateFile

NtCreateFile can be used to create a handle to a driver. HyperHideDrv will check if debugged process want to create handle to one of forbidden driver.

When NtCreateFile checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

24. NtYieldExecution

This method is not really reliable because it only shows if there a high priority thread in the current process. HyperHideDrv will always return STATUS_SUCCESS.

When NtYieldExecution checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

25. NtOpenProcess

NtOpenProcess can be used to enumerate all existing process since every process has it own pid. HyperHideDrv will check if pid belongs to any forbidden process like x64dbg/x32dbg, procmon, procexp.

When NtOpenProcess checkbox is set in plugin options then, everytime you start debugging HyperHideDrv will hook this function and hande it.

26. NtOpenThread

Same as NtOpenProcess but instead pid it uses tid (Thread ID)

When NtOpenThread checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will hook this function and hande it.

27. NtGetNextProcess

Same as NtOpenProcess but instead pid it uses process handle

When NtGetNextProcess checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

28. NtContinue

Same as NtSetContextThread

When NtContinue checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

29. NtUserFindWindowEx

NtUserFindWindowEx can be used to retrieve a handle to the top-level window whose class name and window name match the specified strings. HyperHideDrv will check if specified names are forbidden.

When NtUserFindWindowEx checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

30. NtUserGetForegroundWindow

NtUserGetForegroundWindow can be used to retrieve a handle to the foreground window. If it is handle to debugger window then HyperHideDrv return NtUserGetThreadState with THREADSTATE_ACTIVEWINDOW.

When NtUserGetForegroundWindow checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

31. NtUserQueryWindow

NtUserQueryWindow can be used to retrieve the identifier of the thread that created the specified window or the identifier of the process that created the window. HyperHideDrv will check if window handle belongs to debugger and return debugged process pid or tid.

When NtUserQueryWindow checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

32. NtUserBuildHwndList

NtUserBuildHwndList can be used to list all windows. HyperHideDrv will find every handle to forbidden window and clear information about it.

When NtUserBuildHwndList checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function and hande it.

Remarks

Never run this driver on production system. Use virtual machine instead

License

HyperHide is under the GNU General Public License v3.

Special thanks to

ScyllaHide developers

al-khaser by Noteworthy

Check Point for Anti-Debug Tricks

Peter Ferrie for his Anti-Debug pdf

hyperhide's People

Contributors

Stargazers

Watchers

Forkers

longjohncoder 82d28a gavz ktim30 fengjixuchui enllune vn-os crackercat matrixkung nevinhappy useful-stuff evilbitse snow-loli qqq-tech officialnt zbx911 gdraperi 610100 alehacksp cpplam jilvan1234 baby0o01999 baby-233 kungia09 explife0011 ioshome2 ahora57 d34d633f fiappy ezhangle wjcsharp itssickness 2217936322 uakbr heruix dzjerer xuewei305 meesong ellen2015 wdnmd-rushb redcath yang-zhiyuan hyglvy wghub supermanc88 arryboom killaragorn taodaqiao komar1911 kankoshev killvxk ivanpos2015 okazakinagisa congviet nopriest xiihaha imjustmaxie y11en lllzed ai-for-games jim00000 fiyher lida2016 ckwindowsproject wuyadie thiagoalexsander sxyhack darkersquirrel steesha qing666888 x64dbgpluginproject iamasbcx infistar vxcute in12hacker jackwolail virginity-is-cool m4now4r cherishlee dragonquesthero shl198001 youyong123 lzty sljfalewjlkf damen0909 sohi88 stuxnet147 yuaom lyingsimon q251995379 ehoaix balgron ymy1666527646 beholder nil-ref xmduke wyrover archar123 tzf-omkey shonker

hyperhide's Issues

Please fix detections

from this repository: https://github.com/Ahora57/Unabomber

amd alt?

Is there any kind of similar alternative for AMD cpus? Thanks a lot!

[SC] StartService FAILED 31: 12th Gen Intel(R) Core(TM) i7-12700KF 22H2

The system cannot find the file specified. | A device attached to the system is not functioning.

can

you help i am getting that when

BOSD hv::vmread(GUEST_LDTR_SELECTOR);


Microsoft (R) Windows Debugger Version 10.0.22000.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (6 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff806`72800000 PsLoadedModuleList = 0xfffff806`7342a190
Debug session time: Fri Aug 27 16:09:05.529 2021 (UTC + 8:00)
System Uptime: 0 days 0:05:00.392
Loading Kernel Symbols
...............................................................
.........Page 403808 not present in the dump file. Type ".hh dbgerr004" for details
.......................................................
................................................................
............
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`01291018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.........
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000014ffd0a, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8067d13d64c, address which referenced memory

Debugging Details:
------------------

Unable to load image \??\D:\Debugger\xgDebuger\airhv.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2187

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 9408

    Key  : Analysis.Init.CPU.mSec
    Value: 2312

    Key  : Analysis.Init.Elapsed.mSec
    Value: 15751

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 105

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  d1

BUGCHECK_P1: 14ffd0a

BUGCHECK_P2: ff

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8067d13d64c

READ_ADDRESS:  00000000014ffd0a 

ADDITIONAL_DEBUG_TEXT:  The trap occurred when interrupts are disabled on the target.

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  xcoronahost.xem

TRAP_FRAME:  ffffe30835072cc0 -- (.trap 0xffffe30835072cc0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=00000000014ffd0a
rdx=0000000000005658 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8067d13d64c rsp=ffffe30835072e50 rbp=00000000f344c014
 r8=0000000000e8b86f  r9=0000000000000000 r10=0000000000000000
r11=000000000111e250 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di ng nz na po nc
airhv!vmexit_ldtr_access_handler+0xbc:
fffff806`7d13d64c 488901          mov     qword ptr [rcx],rax ds:00000000`014ffd0a=????????????????
Resetting default scope

BAD_STACK_POINTER:  ffffe30835072b78

STACK_TEXT:  
ffffe308`35072b78 fffff806`72c09169     : 00000000`0000000a 00000000`014ffd0a 00000000`000000ff 00000000`00000000 : nt!KeBugCheckEx
ffffe308`35072b80 fffff806`72c05469     : 1336d8ff`fff8067d ae6000ff`fff8067d 000040ff`fff80672 ae584a00`00000000 : nt!KiBugCheckDispatch+0x69
ffffe308`35072cc0 fffff806`7d13d64c     : 00000000`0000080c fffff806`7d13ce77 ffffe308`35072ff8 fffff806`7d13d331 : nt!KiPageFault+0x469
ffffe308`35072e50 fffff806`7d13dac8     : ffffe308`28913a70 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_ldtr_access_handler+0xbc [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 228] 
ffffe308`35072ec0 fffff806`7d13139c     : ffffe308`35072f20 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_handler+0xe8 [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 1439] 
ffffe308`35072f00 ffffe308`35072f20     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmm_entrypoint+0x4c [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\asm\vm_context.asm @ 60] 
ffffe308`35072f08 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffffe308`35072f20


FAULTING_SOURCE_LINE:  D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp

FAULTING_SOURCE_FILE:  D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp

FAULTING_SOURCE_LINE_NUMBER:  228

FAULTING_SOURCE_CODE:  
   224: 	{
   225: 		// SLDT
   226: 		case 0:
   227: 		{
>  228: 			*linear_address = hv::vmread(GUEST_LDTR_SELECTOR);
   229: 
   230: 			break;
   231: 		}
   232: 
   233: 		// STR


SYMBOL_NAME:  airhv!vmexit_ldtr_access_handler+bc

MODULE_NAME: airhv

IMAGE_NAME:  airhv.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  bc

FAILURE_BUCKET_ID:  DISABLED_INTERRUPT_FAULT_STACKPTR_ERROR_airhv!vmexit_ldtr_access_handler

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {d9cba956-7904-06a1-f790-6a47973b5789}

Followup:     MachineOwner
---------


}...

[SC] StartService: OpenService FAILED 1060

C:\Users\Hi\Desktop\HyperHide>sc start HyperHideDrv.sys
[SC] StartService: OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Users\Hi\Desktop\HyperHide>sc start HyperHideDrv
[SC] StartService: OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Users\Hi\Desktop\HyperHide>

sc start HyperHideDrv [SC] StartService Failed 31 on Intel x64 Win10 22H2

Description

[SC] StartService FAILED 31: device attached to the system is not functioning.
Run on.bat with administry, report error code 31

Environment

VMware® Workstation 17 Pro 17.0.0 build-20800274
Physical Machine: Windows 10 Home, 64-bit (Build 19045.2965) 10.0.19045
Physical Machine Processor: Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz 2.59 GHz
Virtual Machine: Windows 10 Professional x64 22H2 19045.2965
cmd "bcdedit /set testsigning on" successfully completed and Virtual Machine rebooted
The test mode is displayed in the lower right corner of the desktop

VT-x enabled

Hyper-V disabled

Virtualization-Based Security (VBS) disabled

Secure Boot disabled

Dbgview

00000001 0.00000000 [19:46:55.918] [INFORMATION] [DriverEntry:90] HyperVisor On

Regedit

driver path

Some software will detect whether the system is in test mode.

Some software will detect whether the system is in test mode. Can you hide it??

Please also handle NtContinueEx

Hello,

First of all let me say that you created here a really great peace of software, thank you very much.

But now to the issue, since windows 10 2004 MSFT added an extended version of the NtContinue sys call called NtContinueEx
And I already have seen it being used for example by the Line messager.

It would be great if you could add handling for the NtContinueEx as well

Cheers
David

Crash when selecting KUserSharedData or Clear KUserSharedData

Loading Dump File [F:\061221-52203-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff8056cc00000 PsLoadedModuleList = 0xfffff8056d0432b0
Debug session time: Sat Jun 12 13:51:05.767 2021 (UTC + 11:00)
System Uptime: 0 days 16:38:38.687
Loading Kernel Symbols
...............................................................
................................................................
...................................
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff8056cdbc8a0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa2824a02f2d0=0000000000000050
4: kd> !analyze -v

                   Bugcheck Analysis                                    *

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffba8c0b649900, memory referenced.
Arg2: 0000000000000011, value 0 = read operation, 1 = write operation.
Arg3: ffffba8c0b649900, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)

Debugging Details:

*** WARNING: Unable to verify timestamp for HyperHideDrv.sys

Could not read faulting driver name

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 8

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on E5_1

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 34

Key  : Analysis.Memory.CommitPeak.Mb
Value: 70

Key  : Analysis.System
Value: CreateObject

BUGCHECK_CODE: 50

BUGCHECK_P1: ffffba8c0b649900

BUGCHECK_P2: 11

BUGCHECK_P3: ffffba8c0b649900

BUGCHECK_P4: 2

WRITE_ADDRESS: fffff8056d16e3b0: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock
fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
ffffba8c0b649900

MM_INTERNAL_CODE: 2

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: procexp64.exe

TRAP_FRAME: ffffa2824a02f570 -- (.trap 0xffffa2824a02f570)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000004025 rbx=0000000000000000 rcx=0000000fffffffff
rdx=fffffc7e3f1f8000 rsi=0000000000000000 rdi=0000000000000000
rip=ffffba8c0b649900 rsp=ffffa2824a02f708 rbp=fffff805781a9ea0
r8=0000000000000001 r9=0000000000010fd4 r10=fffffffff4a68134
r11=000000000034bdea r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po nc
ffffba8c0b649900 0300 add eax,dword ptr [rax] ds:0000000000004025=????????
Resetting default scope

STACK_TEXT:
ffffa2824a02f2c8 fffff8056cddfd54 : 0000000000000050 ffffba8c0b649900 0000000000000011 ffffa2824a02f570 : nt!KeBugCheckEx
ffffa2824a02f2d0 fffff8056cc7aaef : 0000000000000000 0000000000000011 0000000000000000 ffffba8c0b649900 : nt!MiSystemFault+0x1d2d64
ffffa2824a02f3d0 fffff8056cdca79a : 0000000000000000 00001f8000000100 0000000000000000 fffff805781a9ebc : nt!MmAccessFault+0x34f
ffffa2824a02f570 ffffba8c0b649900 : 9100000004025025 ffff82812e603000 ffffba8c003de870 000000023ff05000 : nt!KiPageFault+0x35a
ffffa2824a02f708 9100000004025025 : ffff82812e603000 ffffba8c003de870 000000023ff05000 fffff805781a36c2 : 0xffffba8c0b649900 ffffa2824a02f710 ffff82812e603000 : ffffba8c003de870 000000023ff05000 fffff805781a36c2 0000000000000002 : 0x9100000004025025
ffffa2824a02f718 ffffba8c003de870 : 000000023ff05000 fffff805781a36c2 0000000000000002 000000000034be08 : 0xffff82812e603000 ffffa2824a02f720 000000023ff05000 : fffff805781a36c2 0000000000000002 000000000034be08 fffff8056cc01000 : 0xffffba8c003de870
ffffa2824a02f728 fffff805781a36c2 : 0000000000000002 000000000034be08 fffff8056cc01000 ffffba8c0b649900 : 0x000000023ff05000 ffffa2824a02f730 0000000000000002 : 000000000034be08 fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 : HyperHideDrv+0x36c2 ffffa2824a02f738 000000000034be08 : fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c : 0x2 ffffa2824a02f740 fffff8056cc01000 : ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 : 0x34be08 ffffa2824a02f748 ffffba8c0b649900 : fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 : nt!SeConvertSecurityDescriptorToStringSecurityDescriptor+0xfffffffffffffff0
ffffa2824a02f750 fffff805781ac2b0 : fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 0000000000000000 : 0xffffba8c0b649900 ffffa2824a02f758 fffff8056ccdc92c : ffffba8c08e71eb0 0000000000000002 0000000000000000 0000000000000000 : HyperHideDrv+0xc2b0 ffffa2824a02f760 fffff805781a1e10 : ffffba8c003de870 ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 : nt!KeAcquireGuardedMutex+0x1c ffffa2824a02f790 ffffba8c003de870 : ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 : HyperHideDrv+0x1e10 ffffa2824a02f798 ffffba8c0dc8e380 : ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 0000000000000000 : 0xffffba8c003de870
ffffa2824a02f7a0 ffffba8c08e71eb0 : fffff8056cf503a9 0000000000000000 0000000000000000 0000000000000000 : 0xffffba8c0dc8e380 ffffa2824a02f7a8 fffff8056cf503a9 : 0000000000000000 0000000000000000 0000000000000000 fffff805781a1489 : 0xffffba8c08e71eb0
ffffa2824a02f7b0 fffff8056cc31cc9 : ffffba8c08e71eb0 0000000000000001 0000000000000001 000000000000020c : nt!_guard_retpoline_exit_indirect_rax+0x9
ffffa2824a02f800 fffff8056d1eb6c5 : ffffa2824a02fb80 ffffba8c08e71eb0 0000000000000001 ffffba8c0b70d690 : nt!IofCallDriver+0x59
ffffa2824a02f840 fffff8056d1eb01a : ffffba8c08e71eb0 ffffa2824a02fb80 000000000022240c ffffa2824a02fb80 : nt!IopSynchronousServiceTail+0x1a5
ffffa2824a02f8e0 fffff8056d1eaa36 : ba8c0d9ed5b0ffed 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x5ca
ffffa2824a02fa20 fffff8056cdcdf98 : 0000000000000001 ffffa2824a02fb00 0000000000000000 ffffa2824a02fa00 : nt!NtDeviceIoControlFile+0x56
ffffa2824a02fa90 00007ffeb4bdc144 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
000000c7ab4ff758 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffe`b4bdc144

SYMBOL_NAME: HyperHideDrv+36c2

MODULE_NAME: HyperHideDrv

IMAGE_NAME: HyperHideDrv.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 36c2

FAILURE_BUCKET_ID: AV_INVALID_HyperHideDrv!unknown_function

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {d37c959a-417f-c891-0472-d90c19d031fc}

Followup: MachineOwner

22H2 not supported

Error 577

C:\Users\Rodj\Desktop\HyperHide\Scripts>sc start airhv
[SC] StartService: ошибка: 577:

Системе Windows не удается проверить цифровую подпись этого файла. При последнем изменении оборудования или программного обеспечения могла быть произведена установка неправильно подписанного или поврежденного файла либо вредоносной программы неизвестного происхождения.

C:\Users\Rodj\Desktop\HyperHide\Scripts>sc start HyperHideDrv
[SC] StartService: ошибка: 577:

sign incorrectly

cmd:
C:\WINDOWS\system32>sc start airhv
[SC] StartService FAILED 577:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

C:\WINDOWS\system32>sc start HyperHideDrv
[SC] StartService FAILED 577:

C:\WINDOWS\system32>pause
Press any key to continue . . .

Failed to load plugin in x64dbg

When I open x64dbg I get [PLUGIN] Failed to load plugin: HyperHide.dp64 in the logs. I made sure that the airhv and HyperHideDrv drivers were loaded by using driverquery.

My Installation steps

Copy HyperHideDrv.sys and airhv.sys to C:\Windows\System32\drivers
Disable driver signing
Run create.bat script as administrator
Run on.bat script as administrator
Copy HyperHide.dp64 and HyperHide.ini to x64dbg plugins folder
Run x64dbg

Computer details

Windows 10 19043.928
Intel Core i7-4770HQ
x64dbg snapshot_2021-05-08_14-17

not work with VMProtect 3.6

VMProtect 3.6 is detecting hyperhide in x64dgb. May be this can be implemented

https://blog.csdn.net/qq_37353105/article/details/125482851

DRIVER_IRQL_NOT_LESS_OR_EQUAL on WIN7X64 with HyperHide_2021-07-19

Loading Dump File [C:\Windows\Minidump\072121-11247-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

1: kd> !analyze -v

                   Bugcheck Analysis                                    *

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff88003b80000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8800307ab03, address which referenced memory

Debugging Details:

*** WARNING: Unable to verify timestamp for airhv.sys
fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
GetUlongPtrFromAddress: unable to read from fffff800054ee300

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 3

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on WIN-3TVJD1ASNOS

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 11

Key  : Analysis.Memory.CommitPeak.Mb
Value: 68

Key  : Analysis.System
Value: CreateObject

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: d1

BUGCHECK_P1: fffff88003b80000

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8800307ab03

READ_ADDRESS: fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
Unable to get MmSystemRangeStart
GetUlongPtrFromAddress: unable to read from fffff800054ee2f0
GetUlongPtrFromAddress: unable to read from fffff800054ee4a8
fffff88003b80000

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: vmtoolsd.exe

TRAP_FRAME: fffffa8031432cd0 -- (.trap 0xfffffa8031432cd0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000f5d8
rdx=000000000000fed0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8800307ab03 rsp=fffffa8031432e60 rbp=fffffa8031bff810
r8=000000000000fec0 r9=0000000000000020 r10=0000000000000718
r11=fffffa8031432e68 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na pe nc
airhv+0x9b03:
fffff880`0307ab03 f36e rep outs dx,byte ptr [rsi]
Resetting default scope

BAD_STACK_POINTER: fffffa8031432b88

STACK_TEXT:
fffffa8031432b88 fffff800052f2f69 : 000000000000000a fffff88003b80000 0000000000000002 0000000000000000 : nt!KeBugCheckEx
fffffa8031432b90 fffff800052f0d88 : 0000000000000000 fffff88003b80000 0000000000000000 fffff88003b7f718 : nt!KiBugCheckDispatch+0x69
fffffa8031432cd0 fffff8800307ab03 : fffff80005264d0f fffff88000000001 000000007ff4c718 0000000000000000 : nt!KiPageFault+0x448
fffffa8031432e60 fffff80005264d0f : fffff88000000001 000000007ff4c718 0000000000000000 fffff8a001937ce0 : airhv+0x9b03
fffffa8031432e68 fffff88000000001 : 000000007ff4c718 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 : nt!MmCreateMdl+0xb7
fffffa8031432e70 000000007ff4c718 : 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 : 0xfffff88000000001 fffffa8031432e78 0000000000000000 : fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 fffff880`0307a15d : 0x7ff4c718

SYMBOL_NAME: airhv+9b03

MODULE_NAME: airhv

IMAGE_NAME: airhv.sys

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: X64_0xD1_STACKPTR_ERROR_airhv+9b03

OS_VERSION: 7.1.7601.24384

BUILDLAB_STR: win7sp1_ldr_escrow

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {7ac92028-be9a-ed12-5957-bd8308811d0f}

Followup: MachineOwner

blue screen

Hello author, this loading driver will have a blue screen. Can you please skip loading the sys driver so that it won't have a blue screen。
Just load HyperHide.dp64 and HyperHide.ini with other plugins, which makes installation much easier!

Can you pass dynamic anti-debugging, such as timecheck, 0xCC detection?

Crash with HyperHide_2021-06-13

Loading Dump File [C:\Windows\Minidump\062621-23977-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24441.amd64fre.win7sp1_ldr.190418-1735
Machine Name:
Kernel base = 0xfffff80006808000 PsLoadedModuleList = 0xfffff80006a41c90
Debug session time: Sat Jun 26 23:37:11.662 2021 (UTC + 8:00)
System Uptime: 0 days 1:21:39.427
Loading Kernel Symbols
...............................................................
................................................................
..................................................
Loading User Symbols
Loading unloaded module list
..........
For analysis of this file, run !analyze -v
3: kd> !analyze -v

                   Bugcheck Analysis                                    *

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:

A driver has inadvertently or deliberately modified critical kernel code
or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d8a7a328fd, Reserved
Arg2: b3b7465efa213a23, Reserved
Arg3: 00000000c0000080, Failure type dependent information
Arg4: 0000000000000007, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification
8 : Object type
9 : A processor IVT
a : Modification of a system service function
b : A generic session data region
c : Modification of a session function or .pdata
d : Modification of an import table
e : Modification of a session import table
f : Ps Win32 callout modification
10 : Debug switch routine modification
11 : IRP allocator modification
12 : Driver call dispatcher modification
13 : IRP completion dispatcher modification
14 : IRP deallocator modification
15 : A processor control register
16 : Critical floating point control register modification
17 : Local APIC modification
18 : Kernel notification callout modification
19 : Loaded module list modification
1a : Type 3 process list corruption
1b : Type 4 process list corruption
1c : Driver object corruption
1d : Executive callback object modification
1e : Modification of module padding
1f : Modification of a protected process
20 : A generic data region
21 : A page hash mismatch
22 : A session page hash mismatch
23 : Load config directory modification
24 : Inverted function table modification
25 : Session configuration modification
26 : An extended processor control register
27 : Type 1 pool corruption
28 : Type 2 pool corruption
29 : Type 3 pool corruption
2a : Type 4 pool corruption
2b : Modification of a function or .pdata
2c : Image integrity corruption
2d : Processor misconfiguration
2e : Type 5 process list corruption
2f : Process shadow corruption
30 : Retpoline code page corruption
101 : General pool corruption
102 : Modification of win32k.sys

Debugging Details:

fffff800069ea0e8: Unable to get Flags value from nt!KdVersionBlock
GetUlongPtrFromAddress: unable to read from fffff80006aa5300

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 1

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on XU-PC

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 1

Key  : Analysis.Memory.CommitPeak.Mb
Value: 66

Key  : Analysis.System
Value: CreateObject

BUGCHECK_CODE: 109

BUGCHECK_P1: a3a039d8a7a328fd

BUGCHECK_P2: b3b7465efa213a23

BUGCHECK_P3: c0000080

BUGCHECK_P4: 7

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

STACK_TEXT:
fffff88004d08498 0000000000000000 : 0000000000000109 a3a039d8a7a328fd b3b7465efa213a23 00000000c0000080 : nt!KeBugCheckEx

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: BAD_STACK_0x109

OS_VERSION: 7.1.7601.24441

BUILDLAB_STR: win7sp1_ldr

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {b4d7023a-05c3-49b2-3ea4-6240fe57d90e}

Followup: MachineOwner

Win10 & Win11 BSOD

run on.bat --->ok
then run off.bat ---> BSOD

Issue Starting Drivers

I've tried multiple times and nothing seems to work. Any suggestions.

IDA Pro

Hi,

is it possible to adapt your project for Ida Pro ?!

Regards

vmp3.5 "Virtual Machine"

vmprotect v3.5.0,
any program will prompt as long as virtual machine detection is enabled.
HyperHide->(√)Hypervisor not visible

Compile failed （win10 x64 10.019044.1766）

WDK 10.0.19041.685
SDK 10.0.19041.685

win10 蓝屏

这是一个非常优秀且有用的开源项目！希望能进一步完成修复！

airhv report error 647 on win11

reboot the system
run on.bat with administry, report error 647
and cannot turn off except reboot

about cheat engine

When I run on.bat, I am unable to run the Cheat Engine(7.5) properly. I can see the CE process in the Task Manager, but CE cannot be displayed properly.What should I do?Thank you.

Error while opening on.bat Winver 21h2

Hello, in the future, will write this function?

HookedNtYieldExecution return value error

if(Hider::IsHidden(IoGetCurrentProcess(), HIDE_NT_YIELD_EXECUTION) == TRUE)
{
OriginalNtYieldExecution();
return STATUS_SUCCESS; //return here STATUS_NO_YIELD_PERFORMED
}

sc start HyperHideDrv [SC] StartService Failed 31 on Intel x64 Win11 23H2

Start HyperHideDrv first, the computer will have a blue screen

DebugView Log

[12:07:14.422] [INFORMATION] [DriverEntry:89] HyperVisor On
[12:07:14.422] [INFORMATION] [DriverEntry:94] Got offsets
[12:07:14.455] [INFORMATION] [DriverEntry:99] Got Ssdt
[12:07:14.504] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffff908000000000
[12:07:14.504] [INFORMATION] [DriverEntry:104] Hider Initialized
[12:07:14.504] [INFORMATION] [DriverEntry:112] PsSetCreateThreadNotifyRoutine succeded
[12:07:14.504] [INFORMATION] [DriverEntry:121] PsSetCreateProcessNotifyRoutine succeded
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA3
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1CD
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x198
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF9
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC7
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x154
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xCF
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xFE
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x137
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserBuildHwndList is equal: 0x1A
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserFindWindowEx is equal: 0x67
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserQueryWindow is equal: 0xE
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetForegroundWindow is equal: 0x37
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetThreadState is equal: 0x0
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [HookWin32kSyscalls:1860] NtUserFindWindowEx hook failed

Request for new features - CPUID - RDTSC

Hi,

some features, CPUID and RDTSC Hooking, are missing in this plugin.

Best regards

win10 21h2 bsod

cpu Intel(R) Xeon(R) CPU E3-1230 v3 @ 3.30GHz 3.30 GHz
system win10 19044.2006 21H2

https://pastebin.com/dBU3JABH

AMD CPU failed to turn on the driver

My CPU is AMD 1950x and CPU virtualization is enabled, but the driver is always in the state of loading failure.

I System Ver: Microsoft Windows [Version 10.0.19043.1110]

I started the test mode of windows 10 with the following command to allow unsigned driver loading options.

The driver could not be loaded

bcdedit.exe /set nointegritychecks on 
bcdedit.exe /set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe /set testsigning on

error:
C:\Windows\system32>sc start airhv
[SC] StartService fail 2:
C:\Windows\system32>sc start HyperHideDrv
[SC] StartService fail 31:

Windows 10 1607 Blue Screen Error

PAGE FAULT IN NONPAGED AREA

011722-6546-01.zip

[SC] StartService FAILED 31: a device attached to the system is not functioning

DebugView seems to have shown nothing interesting?
i'm sure that i did anything on README. Airhv is fine, but hyperhidedrv can't start.
(windows 11 and patchguard is disabled)

BSOF when run on.bat on latest build

When I run on.bat it causes BSOD

StartService FAILED 31 2H22 There may still be problems

[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.300] [INFORMATION] [init_vcpu:272] vcpu entry allocated successfully at FFFFA00491BE3230
[02:35:43.300] [INFORMATION] [init_vcpu:272] vcpu entry allocated successfully at FFFFA00491BE3310
[02:35:43.300] [INFORMATION] [init_logical_processor:368] vcpu 0 is now in VMX operation.

[02:35:43.300] [INFORMATION] [init_logical_processor:368] vcpu 1 is now in VMX operation.

[02:35:43.347] [INFORMATION] [DriverEntry:89] HyperVisor On
[02:35:43.347] [INFORMATION] [DriverEntry:94] Got offsets
[02:35:43.347] [INFORMATION] [DriverEntry:99] Got code caves
[02:35:43.363] [INFORMATION] [DriverEntry:104] Got Ssdt
[02:35:43.394] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffff980000000000
[02:35:43.394] [INFORMATION] [DriverEntry:109] Hider Initialized
[02:35:43.394] [INFORMATION] [DriverEntry:117] PsSetCreateThreadNotifyRoutine succeded
[02:35:43.394] [INFORMATION] [DriverEntry:126] PsSetCreateProcessNotifyRoutine succeded
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA1
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1BD
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x18B
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF2
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC1
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x14A
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xC8
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xF7
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x12E
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [ERROR] [hook_function:638] Requested virtual memory doesn't exist in physical one
[02:35:43.394] [ERROR] [HookNtSyscalls:1821] NtSetContextThread hook failed

was detected

detected as a virtual machine

Fucking BSOD

Hi,i try use this plugin for bypass antidebug themida (last vershion).
If i start on.bat,then i get BSOD.
I am just starting to learn in drivers so I can't fix it.
Code mistake:WHEA UNCORRECTABLE ERROR
Dump: https://drive.google.com/file/d/1ZZdgCOR3n5V5I8wAcOmC2cUh_cXDttD_/view?usp=sharing

Also i recomended add hook NtQueryLicenseValue.It's can call from ring3 for check test mode(CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners).
You can see mode informathion hear: https://github.com/HyperSine/Windows10-CustomKernelSigners

air14 / hyperhide Goto Github PK

hyperhide's Introduction

HyperHide

Description

Compilation

Support

Usage Information

Examples

Features

1. Process Environment Block (PEB)

2. Heap Flags

3. Process Flags

4. Thread Flags

5. KUserSharedData

6. KiExceptionDisptach

7. NtQueryInformationProcess

8. NtQueryInformationThread

9. NtQueryInformationJobObject

10. NtQueryObject

11. NtQuerySystemInformation

12. NtQuerySystemTime

13. NtQueryPerformanceCounter

14. NtSetInformationThread

15. NtSetInformationProcess

16. NtSystemDebugControl

17. NtClose

18. NtSetContextThread

19. NtGetContextThread

20. NtCreateThreadEx

21. NtCreateProcessEx

22. NtCreateUserProcess

23. NtCreateFile

24. NtYieldExecution

25. NtOpenProcess

26. NtOpenThread

27. NtGetNextProcess

28. NtContinue

29. NtUserFindWindowEx

30. NtUserGetForegroundWindow

31. NtUserQueryWindow

32. NtUserBuildHwndList

Remarks

License

Special thanks to

hyperhide's People

Contributors

Stargazers

Watchers

Forkers

hyperhide's Issues

Description

Environment

Dbgview

Regedit

Debugging Details:

Followup: MachineOwner

Debugging Details:

Followup: MachineOwner

Debugging Details:

Followup: MachineOwner

Recommend Projects

Recommend Topics

Recommend Org