air14 / hyperhide Goto Github PK
View Code? Open in Web Editor NEWHypervisor based anti anti debug plugin for x64dbg
License: MIT License
Hypervisor based anti anti debug plugin for x64dbg
License: MIT License
VMProtect 3.6 is detecting hyperhide in x64dgb. May be this can be implemented
Hi,
is it possible to adapt your project for Ida Pro ?!
Regards
detected as a virtual machine
When I open x64dbg I get [PLUGIN] Failed to load plugin: HyperHide.dp64
in the logs. I made sure that the airhv and HyperHideDrv drivers were loaded by using driverquery
.
My Installation steps
C:\Windows\System32\drivers
Computer details
snapshot_2021-05-08_14-17
Hello,
First of all let me say that you created here a really great peace of software, thank you very much.
But now to the issue, since windows 10 2004 MSFT added an extended version of the NtContinue sys call called NtContinueEx
And I already have seen it being used for example by the Line messager.
It would be great if you could add handling for the NtContinueEx as well
Cheers
David
My CPU is AMD 1950x and CPU virtualization is enabled, but the driver is always in the state of loading failure.
I System Ver: Microsoft Windows [Version 10.0.19043.1110]
I started the test mode of windows 10 with the following command to allow unsigned driver loading options.
The driver could not be loaded
bcdedit.exe /set nointegritychecks on
bcdedit.exe /set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe /set testsigning on
error:
C:\Windows\system32>sc start airhv
[SC] StartService fail 2:
C:\Windows\system32>sc start HyperHideDrv
[SC] StartService fail 31:
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.300] [INFORMATION] [init_vcpu:272] vcpu entry allocated successfully at FFFFA00491BE3230
[02:35:43.300] [INFORMATION] [init_vcpu:272] vcpu entry allocated successfully at FFFFA00491BE3310
[02:35:43.300] [INFORMATION] [init_logical_processor:368] vcpu 0 is now in VMX operation.
[02:35:43.300] [INFORMATION] [init_logical_processor:368] vcpu 1 is now in VMX operation.
[02:35:43.347] [INFORMATION] [DriverEntry:89] HyperVisor On
[02:35:43.347] [INFORMATION] [DriverEntry:94] Got offsets
[02:35:43.347] [INFORMATION] [DriverEntry:99] Got code caves
[02:35:43.363] [INFORMATION] [DriverEntry:104] Got Ssdt
[02:35:43.394] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffff980000000000
[02:35:43.394] [INFORMATION] [DriverEntry:109] Hider Initialized
[02:35:43.394] [INFORMATION] [DriverEntry:117] PsSetCreateThreadNotifyRoutine succeded
[02:35:43.394] [INFORMATION] [DriverEntry:126] PsSetCreateProcessNotifyRoutine succeded
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA1
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1BD
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x18B
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF2
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC1
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x14A
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xC8
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xF7
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x12E
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [ERROR] [hook_function:638] Requested virtual memory doesn't exist in physical one
[02:35:43.394] [ERROR] [HookNtSyscalls:1821] NtSetContextThread hook failed
Can you pass dynamic anti-debugging, such as timecheck, 0xCC detection?
这是一个非常优秀且有用的开源项目!希望能进一步完成修复!
Microsoft (R) Windows Debugger Version 10.0.22000.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (6 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff806`72800000 PsLoadedModuleList = 0xfffff806`7342a190
Debug session time: Fri Aug 27 16:09:05.529 2021 (UTC + 8:00)
System Uptime: 0 days 0:05:00.392
Loading Kernel Symbols
...............................................................
.........Page 403808 not present in the dump file. Type ".hh dbgerr004" for details
.......................................................
................................................................
............
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`01291018). Type ".hh dbgerr001" for details
Loading unloaded module list
.........
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000014ffd0a, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8067d13d64c, address which referenced memory
Debugging Details:
------------------
Unable to load image \??\D:\Debugger\xgDebuger\airhv.sys, Win32 error 0n2
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 2187
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 9408
Key : Analysis.Init.CPU.mSec
Value: 2312
Key : Analysis.Init.Elapsed.mSec
Value: 15751
Key : Analysis.Memory.CommitPeak.Mb
Value: 105
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: d1
BUGCHECK_P1: 14ffd0a
BUGCHECK_P2: ff
BUGCHECK_P3: 0
BUGCHECK_P4: fffff8067d13d64c
READ_ADDRESS: 00000000014ffd0a
ADDITIONAL_DEBUG_TEXT: The trap occurred when interrupts are disabled on the target.
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: xcoronahost.xem
TRAP_FRAME: ffffe30835072cc0 -- (.trap 0xffffe30835072cc0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=00000000014ffd0a
rdx=0000000000005658 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8067d13d64c rsp=ffffe30835072e50 rbp=00000000f344c014
r8=0000000000e8b86f r9=0000000000000000 r10=0000000000000000
r11=000000000111e250 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di ng nz na po nc
airhv!vmexit_ldtr_access_handler+0xbc:
fffff806`7d13d64c 488901 mov qword ptr [rcx],rax ds:00000000`014ffd0a=????????????????
Resetting default scope
BAD_STACK_POINTER: ffffe30835072b78
STACK_TEXT:
ffffe308`35072b78 fffff806`72c09169 : 00000000`0000000a 00000000`014ffd0a 00000000`000000ff 00000000`00000000 : nt!KeBugCheckEx
ffffe308`35072b80 fffff806`72c05469 : 1336d8ff`fff8067d ae6000ff`fff8067d 000040ff`fff80672 ae584a00`00000000 : nt!KiBugCheckDispatch+0x69
ffffe308`35072cc0 fffff806`7d13d64c : 00000000`0000080c fffff806`7d13ce77 ffffe308`35072ff8 fffff806`7d13d331 : nt!KiPageFault+0x469
ffffe308`35072e50 fffff806`7d13dac8 : ffffe308`28913a70 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_ldtr_access_handler+0xbc [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 228]
ffffe308`35072ec0 fffff806`7d13139c : ffffe308`35072f20 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmexit_handler+0xe8 [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp @ 1439]
ffffe308`35072f00 ffffe308`35072f20 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : airhv!vmm_entrypoint+0x4c [D:\work\c\Driver64\VT\HyperHide\airhv\airhv\asm\vm_context.asm @ 60]
ffffe308`35072f08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffffe308`35072f20
FAULTING_SOURCE_LINE: D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp
FAULTING_SOURCE_FILE: D:\work\c\Driver64\VT\HyperHide\airhv\airhv\vmexit_handler.cpp
FAULTING_SOURCE_LINE_NUMBER: 228
FAULTING_SOURCE_CODE:
224: {
225: // SLDT
226: case 0:
227: {
> 228: *linear_address = hv::vmread(GUEST_LDTR_SELECTOR);
229:
230: break;
231: }
232:
233: // STR
SYMBOL_NAME: airhv!vmexit_ldtr_access_handler+bc
MODULE_NAME: airhv
IMAGE_NAME: airhv.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: bc
FAILURE_BUCKET_ID: DISABLED_INTERRUPT_FAULT_STACKPTR_ERROR_airhv!vmexit_ldtr_access_handler
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {d9cba956-7904-06a1-f790-6a47973b5789}
Followup: MachineOwner
---------
}...
Loading Dump File [C:\Windows\Minidump\072121-11247-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24384.amd64fre.win7sp1_ldr_escrow.190220-1800
Machine Name:
Kernel base = 0xfffff80005251000 PsLoadedModuleList = 0xfffff800
0548ac90
Debug session time: Wed Jul 21 13:33:27.203 2021 (UTC + 8:00)
System Uptime: 0 days 0:01:57.592
Loading Kernel Symbols
1: kd> !analyze -v
*
Bugcheck Analysis *
*
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff88003b80000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8800307ab03, address which referenced memory
*** WARNING: Unable to verify timestamp for airhv.sys
fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
GetUlongPtrFromAddress: unable to read from fffff800054ee300
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on WIN-3TVJD1ASNOS
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 11
Key : Analysis.Memory.CommitPeak.Mb
Value: 68
Key : Analysis.System
Value: CreateObject
VIRTUAL_MACHINE: VMware
BUGCHECK_CODE: d1
BUGCHECK_P1: fffff88003b80000
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff8800307ab03
READ_ADDRESS: fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
Unable to get MmSystemRangeStart
GetUlongPtrFromAddress: unable to read from fffff800054ee2f0
GetUlongPtrFromAddress: unable to read from fffff800054ee4a8
fffff88003b80000
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: vmtoolsd.exe
TRAP_FRAME: fffffa8031432cd0 -- (.trap 0xfffffa8031432cd0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000f5d8
rdx=000000000000fed0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8800307ab03 rsp=fffffa8031432e60 rbp=fffffa8031bff810
r8=000000000000fec0 r9=0000000000000020 r10=0000000000000718
r11=fffffa8031432e68 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na pe nc
airhv+0x9b03:
fffff880`0307ab03 f36e rep outs dx,byte ptr [rsi]
Resetting default scope
BAD_STACK_POINTER: fffffa8031432b88
STACK_TEXT:
fffffa8031432b88 fffff800
052f2f69 : 000000000000000a fffff880
03b80000 0000000000000002 00000000
00000000 : nt!KeBugCheckEx
fffffa8031432b90 fffff800
052f0d88 : 0000000000000000 fffff880
03b80000 0000000000000000 fffff880
03b7f718 : nt!KiBugCheckDispatch+0x69
fffffa8031432cd0 fffff880
0307ab03 : fffff80005264d0f fffff880
00000001 000000007ff4c718 00000000
00000000 : nt!KiPageFault+0x448
fffffa8031432e60 fffff800
05264d0f : fffff88000000001 00000000
7ff4c718 0000000000000000 fffff8a0
01937ce0 : airhv+0x9b03
fffffa8031432e68 fffff880
00000001 : 000000007ff4c718 00000000
00000000 fffff8a001937ce0 fffffa80
31673ab0 : nt!MmCreateMdl+0xb7
fffffa8031432e70 00000000
7ff4c718 : 0000000000000000 fffff8a0
01937ce0 fffffa8031673ab0 fffffa80
31bff810 : 0xfffff88000000001 fffffa80
31432e78 0000000000000000 : fffff8a0
01937ce0 fffffa8031673ab0 fffffa80
31bff810 fffff880`0307a15d : 0x7ff4c718
SYMBOL_NAME: airhv+9b03
MODULE_NAME: airhv
IMAGE_NAME: airhv.sys
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: X64_0xD1_STACKPTR_ERROR_airhv+9b03
OS_VERSION: 7.1.7601.24384
BUILDLAB_STR: win7sp1_ldr_escrow
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
FAILURE_ID_HASH: {7ac92028-be9a-ed12-5957-bd8308811d0f}
reboot the system
run on.bat with administry, report error 647
and cannot turn off except reboot
if(Hider::IsHidden(IoGetCurrentProcess(), HIDE_NT_YIELD_EXECUTION) == TRUE)
{
OriginalNtYieldExecution();
return STATUS_SUCCESS; //return here STATUS_NO_YIELD_PERFORMED
}
Start HyperHideDrv first, the computer will have a blue screen
DebugView Log
[12:07:14.422] [INFORMATION] [DriverEntry:89] HyperVisor On
[12:07:14.422] [INFORMATION] [DriverEntry:94] Got offsets
[12:07:14.455] [INFORMATION] [DriverEntry:99] Got Ssdt
[12:07:14.504] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffff908000000000
[12:07:14.504] [INFORMATION] [DriverEntry:104] Hider Initialized
[12:07:14.504] [INFORMATION] [DriverEntry:112] PsSetCreateThreadNotifyRoutine succeded
[12:07:14.504] [INFORMATION] [DriverEntry:121] PsSetCreateProcessNotifyRoutine succeded
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA3
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1CD
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x198
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF9
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC7
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x154
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xCF
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xFE
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x137
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserBuildHwndList is equal: 0x1A
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserFindWindowEx is equal: 0x67
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserQueryWindow is equal: 0xE
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetForegroundWindow is equal: 0x37
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetThreadState is equal: 0x0
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [HookWin32kSyscalls:1860] NtUserFindWindowEx hook failed
Is there any kind of similar alternative for AMD cpus? Thanks a lot!
[SC] StartService FAILED 31: device attached to the system is not functioning.
Run on.bat with administry, report error code 31
VMware® Workstation 17 Pro 17.0.0 build-20800274
Physical Machine: Windows 10 Home, 64-bit (Build 19045.2965) 10.0.19045
Physical Machine Processor: Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz 2.59 GHz
Virtual Machine: Windows 10 Professional x64 22H2 19045.2965
cmd "bcdedit /set testsigning on" successfully completed and Virtual Machine rebooted
The test mode is displayed in the lower right corner of the desktop
Virtualization-Based Security (VBS) disabled
00000001 0.00000000 [19:46:55.918] [INFORMATION] [DriverEntry:90] HyperVisor On
cmd:
C:\WINDOWS\system32>sc start airhv
[SC] StartService FAILED 577:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
C:\WINDOWS\system32>sc start HyperHideDrv
[SC] StartService FAILED 577:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
C:\WINDOWS\system32>pause
Press any key to continue . . .
PAGE FAULT IN NONPAGED AREA
C:\Users\Hi\Desktop\HyperHide>sc start HyperHideDrv.sys
[SC] StartService: OpenService FAILED 1060:
The specified service does not exist as an installed service.
C:\Users\Hi\Desktop\HyperHide>sc start HyperHideDrv
[SC] StartService: OpenService FAILED 1060:
The specified service does not exist as an installed service.
C:\Users\Hi\Desktop\HyperHide>
Loading Dump File [C:\Windows\Minidump\062621-23977-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24441.amd64fre.win7sp1_ldr.190418-1735
Machine Name:
Kernel base = 0xfffff80006808000 PsLoadedModuleList = 0xfffff800
06a41c90
Debug session time: Sat Jun 26 23:37:11.662 2021 (UTC + 8:00)
System Uptime: 0 days 1:21:39.427
Loading Kernel Symbols
...............................................................
................................................................
..................................................
Loading User Symbols
Loading unloaded module list
..........
For analysis of this file, run !analyze -v
3: kd> !analyze -v
*
Bugcheck Analysis *
*
CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
fffff800069ea0e8: Unable to get Flags value from nt!KdVersionBlock
GetUlongPtrFromAddress: unable to read from fffff80006aa5300
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on XU-PC
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 1
Key : Analysis.Memory.CommitPeak.Mb
Value: 66
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: 109
BUGCHECK_P1: a3a039d8a7a328fd
BUGCHECK_P2: b3b7465efa213a23
BUGCHECK_P3: c0000080
BUGCHECK_P4: 7
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
fffff88004d08498 00000000
00000000 : 0000000000000109 a3a039d8
a7a328fd b3b7465efa213a23 00000000
c0000080 : nt!KeBugCheckEx
SYMBOL_NAME: ANALYSIS_INCONCLUSIVE
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: BAD_STACK_0x109
OS_VERSION: 7.1.7601.24441
BUILDLAB_STR: win7sp1_ldr
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
FAILURE_ID_HASH: {b4d7023a-05c3-49b2-3ea4-6240fe57d90e}
title says all, when I open the on.bat it just blue screens me but saw no errors on the cmd
Hi,i try use this plugin for bypass antidebug themida (last vershion).
If i start on.bat,then i get BSOD.
I am just starting to learn in drivers so I can't fix it.
Code mistake:WHEA UNCORRECTABLE ERROR
Dump: https://drive.google.com/file/d/1ZZdgCOR3n5V5I8wAcOmC2cUh_cXDttD_/view?usp=sharing
Also i recomended add hook NtQueryLicenseValue.It's can call from ring3 for check test mode(CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners).
You can see mode informathion hear: https://github.com/HyperSine/Windows10-CustomKernelSigners
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
minidump.zip
Loading Dump File [F:\061221-52203-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff8056cc00000 PsLoadedModuleList = 0xfffff805
6d0432b0
Debug session time: Sat Jun 12 13:51:05.767 2021 (UTC + 11:00)
System Uptime: 0 days 16:38:38.687
Loading Kernel Symbols
...............................................................
................................................................
...................................
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff8056cdbc8a0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa282
4a02f2d0=0000000000000050
4: kd> !analyze -v
*
Bugcheck Analysis *
*
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffba8c0b649900, memory referenced.
Arg2: 0000000000000011, value 0 = read operation, 1 = write operation.
Arg3: ffffba8c0b649900, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
*** WARNING: Unable to verify timestamp for HyperHideDrv.sys
Could not read faulting driver name
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 8
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on E5_1
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 34
Key : Analysis.Memory.CommitPeak.Mb
Value: 70
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: 50
BUGCHECK_P1: ffffba8c0b649900
BUGCHECK_P2: 11
BUGCHECK_P3: ffffba8c0b649900
BUGCHECK_P4: 2
WRITE_ADDRESS: fffff8056d16e3b0: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock
fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
ffffba8c0b649900
MM_INTERNAL_CODE: 2
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: procexp64.exe
TRAP_FRAME: ffffa2824a02f570 -- (.trap 0xffffa2824a02f570)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000004025 rbx=0000000000000000 rcx=0000000fffffffff
rdx=fffffc7e3f1f8000 rsi=0000000000000000 rdi=0000000000000000
rip=ffffba8c0b649900 rsp=ffffa2824a02f708 rbp=fffff805781a9ea0
r8=0000000000000001 r9=0000000000010fd4 r10=fffffffff4a68134
r11=000000000034bdea r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po nc
ffffba8c0b649900 0300 add eax,dword ptr [rax] ds:00000000
00004025=????????
Resetting default scope
STACK_TEXT:
ffffa2824a02f2c8 fffff805
6cddfd54 : 0000000000000050 ffffba8c
0b649900 0000000000000011 ffffa282
4a02f570 : nt!KeBugCheckEx
ffffa2824a02f2d0 fffff805
6cc7aaef : 0000000000000000 00000000
00000011 0000000000000000 ffffba8c
0b649900 : nt!MiSystemFault+0x1d2d64
ffffa2824a02f3d0 fffff805
6cdca79a : 0000000000000000 00001f80
00000100 0000000000000000 fffff805
781a9ebc : nt!MmAccessFault+0x34f
ffffa2824a02f570 ffffba8c
0b649900 : 9100000004025025 ffff8281
2e603000 ffffba8c003de870 00000002
3ff05000 : nt!KiPageFault+0x35a
ffffa2824a02f708 91000000
04025025 : ffff82812e603000 ffffba8c
003de870 000000023ff05000 fffff805
781a36c2 : 0xffffba8c0b649900 ffffa282
4a02f710 ffff82812e603000 : ffffba8c
003de870 000000023ff05000 fffff805
781a36c2 0000000000000002 : 0x91000000
04025025
ffffa2824a02f718 ffffba8c
003de870 : 000000023ff05000 fffff805
781a36c2 0000000000000002 00000000
0034be08 : 0xffff82812e603000 ffffa282
4a02f720 000000023ff05000 : fffff805
781a36c2 0000000000000002 00000000
0034be08 fffff8056cc01000 : 0xffffba8c
003de870
ffffa2824a02f728 fffff805
781a36c2 : 0000000000000002 00000000
0034be08 fffff8056cc01000 ffffba8c
0b649900 : 0x000000023ff05000 ffffa282
4a02f730 0000000000000002 : 00000000
0034be08 fffff8056cc01000 ffffba8c
0b649900 fffff805781ac2b0 : HyperHideDrv+0x36c2 ffffa282
4a02f738 000000000034be08 : fffff805
6cc01000 ffffba8c0b649900 fffff805
781ac2b0 fffff8056ccdc92c : 0x2 ffffa282
4a02f740 fffff8056cc01000 : ffffba8c
0b649900 fffff805781ac2b0 fffff805
6ccdc92c ffffba8c08e71eb0 : 0x34be08 ffffa282
4a02f748 ffffba8c0b649900 : fffff805
781ac2b0 fffff8056ccdc92c ffffba8c
08e71eb0 0000000000000002 : nt!SeConvertSecurityDescriptorToStringSecurityDescriptor+0xffffffff
fffffff0
ffffa2824a02f750 fffff805
781ac2b0 : fffff8056ccdc92c ffffba8c
08e71eb0 0000000000000002 00000000
00000000 : 0xffffba8c0b649900 ffffa282
4a02f758 fffff8056ccdc92c : ffffba8c
08e71eb0 0000000000000002 00000000
00000000 0000000000000000 : HyperHideDrv+0xc2b0 ffffa282
4a02f760 fffff805781a1e10 : ffffba8c
003de870 ffffba8c0dc8e380 ffffba8c
08e71eb0 fffff8056cf503a9 : nt!KeAcquireGuardedMutex+0x1c ffffa282
4a02f790 ffffba8c003de870 : ffffba8c
0dc8e380 ffffba8c08e71eb0 fffff805
6cf503a9 0000000000000000 : HyperHideDrv+0x1e10 ffffa282
4a02f798 ffffba8c0dc8e380 : ffffba8c
08e71eb0 fffff8056cf503a9 00000000
00000000 0000000000000000 : 0xffffba8c
003de870
ffffa2824a02f7a0 ffffba8c
08e71eb0 : fffff8056cf503a9 00000000
00000000 0000000000000000 00000000
00000000 : 0xffffba8c0dc8e380 ffffa282
4a02f7a8 fffff8056cf503a9 : 00000000
00000000 0000000000000000 00000000
00000000 fffff805781a1489 : 0xffffba8c
08e71eb0
ffffa2824a02f7b0 fffff805
6cc31cc9 : ffffba8c08e71eb0 00000000
00000001 0000000000000001 00000000
0000020c : nt!_guard_retpoline_exit_indirect_rax+0x9
ffffa2824a02f800 fffff805
6d1eb6c5 : ffffa2824a02fb80 ffffba8c
08e71eb0 0000000000000001 ffffba8c
0b70d690 : nt!IofCallDriver+0x59
ffffa2824a02f840 fffff805
6d1eb01a : ffffba8c08e71eb0 ffffa282
4a02fb80 000000000022240c ffffa282
4a02fb80 : nt!IopSynchronousServiceTail+0x1a5
ffffa2824a02f8e0 fffff805
6d1eaa36 : ba8c0d9ed5b0ffed 00000000
00000000 0000000000000000 00000000
00000000 : nt!IopXxxControlFile+0x5ca
ffffa2824a02fa20 fffff805
6cdcdf98 : 0000000000000001 ffffa282
4a02fb00 0000000000000000 ffffa282
4a02fa00 : nt!NtDeviceIoControlFile+0x56
ffffa2824a02fa90 00007ffe
b4bdc144 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x28
000000c7ab4ff758 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ffe`b4bdc144
SYMBOL_NAME: HyperHideDrv+36c2
MODULE_NAME: HyperHideDrv
IMAGE_NAME: HyperHideDrv.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 36c2
FAILURE_BUCKET_ID: AV_INVALID_HyperHideDrv!unknown_function
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {d37c959a-417f-c891-0472-d90c19d031fc}
run on.bat --->ok
then run off.bat ---> BSOD
cpu Intel(R) Xeon(R) CPU E3-1230 v3 @ 3.30GHz 3.30 GHz
system win10 19044.2006 21H2
When I run on.bat, I am unable to run the Cheat Engine(7.5) properly. I can see the CE process in the Task Manager, but CE cannot be displayed properly.What should I do?Thank you.
Hello author, this loading driver will have a blue screen. Can you please skip loading the sys driver so that it won't have a blue screen。
Just load HyperHide.dp64 and HyperHide.ini with other plugins, which makes installation much easier!
from this repository: https://github.com/Ahora57/Unabomber
Some software will detect whether the system is in test mode. Can you hide it??
Hi,
some features, CPUID and RDTSC Hooking, are missing in this plugin.
Best regards
C:\Users\Rodj\Desktop\HyperHide\Scripts>sc start airhv
[SC] StartService: ошибка: 577:
Системе Windows не удается проверить цифровую подпись этого файла. При последнем изменении оборудования или программного обеспечения могла быть произведена установка неправильно подписанного или поврежденного файла либо вредоносной программы неизвестного происхождения.
C:\Users\Rodj\Desktop\HyperHide\Scripts>sc start HyperHideDrv
[SC] StartService: ошибка: 577:
Системе Windows не удается проверить цифровую подпись этого файла. При последнем изменении оборудования или программного обеспечения могла быть произведена установка неправильно подписанного или поврежденного файла либо вредоносной программы неизвестного происхождения.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.