air14 / hyperhide Goto Github PK

VMProtect 3.6 is detecting hyperhide in x64dgb. May be this can be implemented

https://blog.csdn.net/qq_37353105/article/details/125482851

Hi,

is it possible to adapt your project for Ida Pro ?!

Regards

detected as a virtual machine

When I open x64dbg I get [PLUGIN] Failed to load plugin: HyperHide.dp64 in the logs. I made sure that the airhv and HyperHideDrv drivers were loaded by using driverquery.

My Installation steps

1. Copy HyperHideDrv.sys and airhv.sys to C:\Windows\System32\drivers
2. Disable driver signing
3. Run create.bat script as administrator
4. Run on.bat script as administrator
5. Copy HyperHide.dp64 and HyperHide.ini to x64dbg plugins folder
6. Run x64dbg

Computer details

• Windows 10 19043.928
• Intel Core i7-4770HQ
• x64dbg snapshot_2021-05-08_14-17

Hello,

First of all let me say that you created here a really great peace of software, thank you very much.

But now to the issue, since windows 10 2004 MSFT added an extended version of the NtContinue sys call called NtContinueEx
And I already have seen it being used for example by the Line messager.

It would be great if you could add handling for the NtContinueEx as well

Cheers
David

When I run on.bat it crashes meю

My CPU is AMD 1950x and CPU virtualization is enabled, but the driver is always in the state of loading failure.

I System Ver: Microsoft Windows [Version 10.0.19043.1110]

I started the test mode of windows 10 with the following command to allow unsigned driver loading options.

The driver could not be loaded

bcdedit.exe /set nointegritychecks on 
bcdedit.exe /set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe /set testsigning on

error:
C:\Windows\system32>sc start airhv
[SC] StartService fail 2:
C:\Windows\system32>sc start HyperHideDrv
[SC] StartService fail 31:

[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.284] [INFORMATION] [perform_allocation:109] Allocation successful
[02:35:43.300] [INFORMATION] [init_vcpu:272] vcpu entry allocated successfully at FFFFA00491BE3230
[02:35:43.300] [INFORMATION] [init_vcpu:272] vcpu entry allocated successfully at FFFFA00491BE3310
[02:35:43.300] [INFORMATION] [init_logical_processor:368] vcpu 0 is now in VMX operation.

[02:35:43.300] [INFORMATION] [init_logical_processor:368] vcpu 1 is now in VMX operation.

[02:35:43.347] [INFORMATION] [DriverEntry:89] HyperVisor On
[02:35:43.347] [INFORMATION] [DriverEntry:94] Got offsets
[02:35:43.347] [INFORMATION] [DriverEntry:99] Got code caves
[02:35:43.363] [INFORMATION] [DriverEntry:104] Got Ssdt
[02:35:43.394] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffff980000000000
[02:35:43.394] [INFORMATION] [DriverEntry:109] Hider Initialized
[02:35:43.394] [INFORMATION] [DriverEntry:117] PsSetCreateThreadNotifyRoutine succeded
[02:35:43.394] [INFORMATION] [DriverEntry:126] PsSetCreateProcessNotifyRoutine succeded
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA1
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1BD
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x18B
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF2
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC1
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x14A
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xC8
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xF7
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x12E
[02:35:43.394] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [INFORMATION] [hook_function:653] Page already hooked
[02:35:43.394] [ERROR] [hook_function:638] Requested virtual memory doesn't exist in physical one
[02:35:43.394] [ERROR] [HookNtSyscalls:1821] NtSetContextThread hook failed

Can you pass dynamic anti-debugging, such as timecheck, 0xCC detection?

这是一个非常优秀且有用的开源项目！希望能进一步完成修复！

Loading Dump File [C:\Windows\Minidump\072121-11247-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24384.amd64fre.win7sp1_ldr_escrow.190220-1800
Machine Name:
Kernel base = 0xfffff80005251000 PsLoadedModuleList = 0xfffff8000548ac90
Debug session time: Wed Jul 21 13:33:27.203 2021 (UTC + 8:00)
System Uptime: 0 days 0:01:57.592
Loading Kernel Symbols

1: kd> !analyze -v

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffff88003b80000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8800307ab03, address which referenced memory

Debugging Details:

*** WARNING: Unable to verify timestamp for airhv.sys
fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
GetUlongPtrFromAddress: unable to read from fffff800054ee300

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 3

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on WIN-3TVJD1ASNOS

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 11

Key  : Analysis.Memory.CommitPeak.Mb
Value: 68

Key  : Analysis.System
Value: CreateObject

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: d1

BUGCHECK_P1: fffff88003b80000

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8800307ab03

READ_ADDRESS: fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
fffff800054330e8: Unable to get Flags value from nt!KdVersionBlock
Unable to get MmSystemRangeStart
GetUlongPtrFromAddress: unable to read from fffff800054ee2f0
GetUlongPtrFromAddress: unable to read from fffff800054ee4a8
fffff88003b80000

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: vmtoolsd.exe

TRAP_FRAME: fffffa8031432cd0 -- (.trap 0xfffffa8031432cd0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000f5d8
rdx=000000000000fed0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8800307ab03 rsp=fffffa8031432e60 rbp=fffffa8031bff810
r8=000000000000fec0 r9=0000000000000020 r10=0000000000000718
r11=fffffa8031432e68 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na pe nc
airhv+0x9b03:
fffff880`0307ab03 f36e rep outs dx,byte ptr [rsi]
Resetting default scope

BAD_STACK_POINTER: fffffa8031432b88

STACK_TEXT:
fffffa8031432b88 fffff800052f2f69 : 000000000000000a fffff88003b80000 0000000000000002 0000000000000000 : nt!KeBugCheckEx
fffffa8031432b90 fffff800052f0d88 : 0000000000000000 fffff88003b80000 0000000000000000 fffff88003b7f718 : nt!KiBugCheckDispatch+0x69
fffffa8031432cd0 fffff8800307ab03 : fffff80005264d0f fffff88000000001 000000007ff4c718 0000000000000000 : nt!KiPageFault+0x448
fffffa8031432e60 fffff80005264d0f : fffff88000000001 000000007ff4c718 0000000000000000 fffff8a001937ce0 : airhv+0x9b03
fffffa8031432e68 fffff88000000001 : 000000007ff4c718 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 : nt!MmCreateMdl+0xb7
fffffa8031432e70 000000007ff4c718 : 0000000000000000 fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 : 0xfffff88000000001 fffffa8031432e78 0000000000000000 : fffff8a001937ce0 fffffa8031673ab0 fffffa8031bff810 fffff880`0307a15d : 0x7ff4c718

SYMBOL_NAME: airhv+9b03

MODULE_NAME: airhv

IMAGE_NAME: airhv.sys

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: X64_0xD1_STACKPTR_ERROR_airhv+9b03

OS_VERSION: 7.1.7601.24384

BUILDLAB_STR: win7sp1_ldr_escrow

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {7ac92028-be9a-ed12-5957-bd8308811d0f}

Followup: MachineOwner

reboot the system
run on.bat with administry, report error 647
and cannot turn off except reboot

[SC] StartService FAILED 31: 12th Gen Intel(R) Core(TM) i7-12700KF 22H2

if(Hider::IsHidden(IoGetCurrentProcess(), HIDE_NT_YIELD_EXECUTION) == TRUE)
{
OriginalNtYieldExecution();
return STATUS_SUCCESS; //return here STATUS_NO_YIELD_PERFORMED
}

Start HyperHideDrv first, the computer will have a blue screen

DebugView Log

[12:07:14.422] [INFORMATION] [DriverEntry:89] HyperVisor On
[12:07:14.422] [INFORMATION] [DriverEntry:94] Got offsets
[12:07:14.455] [INFORMATION] [DriverEntry:99] Got Ssdt
[12:07:14.504] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffff908000000000
[12:07:14.504] [INFORMATION] [DriverEntry:104] Hider Initialized
[12:07:14.504] [INFORMATION] [DriverEntry:112] PsSetCreateThreadNotifyRoutine succeded
[12:07:14.504] [INFORMATION] [DriverEntry:121] PsSetCreateProcessNotifyRoutine succeded
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA3
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1CD
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x198
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF9
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC7
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x154
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xCF
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xFE
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x137
[12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserBuildHwndList is equal: 0x1A
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserFindWindowEx is equal: 0x67
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserQueryWindow is equal: 0xE
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetForegroundWindow is equal: 0x37
[12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetThreadState is equal: 0x0
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one
[12:07:14.793] [ERROR] [HookWin32kSyscalls:1860] NtUserFindWindowEx hook failed

Is there any kind of similar alternative for AMD cpus? Thanks a lot!

Description

[SC] StartService FAILED 31: device attached to the system is not functioning.
Run on.bat with administry, report error code 31

Environment

VMware® Workstation 17 Pro 17.0.0 build-20800274
Physical Machine: Windows 10 Home, 64-bit (Build 19045.2965) 10.0.19045
Physical Machine Processor: Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz 2.59 GHz
Virtual Machine: Windows 10 Professional x64 22H2 19045.2965
cmd "bcdedit /set testsigning on" successfully completed and Virtual Machine rebooted
The test mode is displayed in the lower right corner of the desktop

VT-x enabled

Hyper-V disabled

Virtualization-Based Security (VBS) disabled

Secure Boot disabled

Dbgview

00000001 0.00000000 [19:46:55.918] [INFORMATION] [DriverEntry:90] HyperVisor On

Regedit

driver path

cmd:
C:\WINDOWS\system32>sc start airhv
[SC] StartService FAILED 577:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

C:\WINDOWS\system32>sc start HyperHideDrv
[SC] StartService FAILED 577:

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

C:\WINDOWS\system32>pause
Press any key to continue . . .

PAGE FAULT IN NONPAGED AREA

011722-6546-01.zip

C:\Users\Hi\Desktop\HyperHide>sc start HyperHideDrv.sys
[SC] StartService: OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Users\Hi\Desktop\HyperHide>sc start HyperHideDrv
[SC] StartService: OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\Users\Hi\Desktop\HyperHide>

Loading Dump File [C:\Windows\Minidump\062621-23977-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24441.amd64fre.win7sp1_ldr.190418-1735
Machine Name:
Kernel base = 0xfffff80006808000 PsLoadedModuleList = 0xfffff80006a41c90
Debug session time: Sat Jun 26 23:37:11.662 2021 (UTC + 8:00)
System Uptime: 0 days 1:21:39.427
Loading Kernel Symbols
...............................................................
................................................................
..................................................
Loading User Symbols
Loading unloaded module list
..........
For analysis of this file, run !analyze -v
3: kd> !analyze -v

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:

1. A driver has inadvertently or deliberately modified critical kernel code
   or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2. A developer attempted to set a normal kernel breakpoint using a kernel
   debugger that was not attached when the system was booted. Normal breakpoints,
   "bp", can only be set if the debugger is attached at boot time. Hardware
   breakpoints, "ba", can be set at any time.
3. A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
   Arguments:
   Arg1: a3a039d8a7a328fd, Reserved
   Arg2: b3b7465efa213a23, Reserved
   Arg3: 00000000c0000080, Failure type dependent information
   Arg4: 0000000000000007, Type of corrupted region, can be
   0 : A generic data region
   1 : Modification of a function or .pdata
   2 : A processor IDT
   3 : A processor GDT
   4 : Type 1 process list corruption
   5 : Type 2 process list corruption
   6 : Debug routine modification
   7 : Critical MSR modification
   8 : Object type
   9 : A processor IVT
   a : Modification of a system service function
   b : A generic session data region
   c : Modification of a session function or .pdata
   d : Modification of an import table
   e : Modification of a session import table
   f : Ps Win32 callout modification
   10 : Debug switch routine modification
   11 : IRP allocator modification
   12 : Driver call dispatcher modification
   13 : IRP completion dispatcher modification
   14 : IRP deallocator modification
   15 : A processor control register
   16 : Critical floating point control register modification
   17 : Local APIC modification
   18 : Kernel notification callout modification
   19 : Loaded module list modification
   1a : Type 3 process list corruption
   1b : Type 4 process list corruption
   1c : Driver object corruption
   1d : Executive callback object modification
   1e : Modification of module padding
   1f : Modification of a protected process
   20 : A generic data region
   21 : A page hash mismatch
   22 : A session page hash mismatch
   23 : Load config directory modification
   24 : Inverted function table modification
   25 : Session configuration modification
   26 : An extended processor control register
   27 : Type 1 pool corruption
   28 : Type 2 pool corruption
   29 : Type 3 pool corruption
   2a : Type 4 pool corruption
   2b : Modification of a function or .pdata
   2c : Image integrity corruption
   2d : Processor misconfiguration
   2e : Type 5 process list corruption
   2f : Process shadow corruption
   30 : Retpoline code page corruption
   101 : General pool corruption
   102 : Modification of win32k.sys

Debugging Details:

fffff800069ea0e8: Unable to get Flags value from nt!KdVersionBlock
GetUlongPtrFromAddress: unable to read from fffff80006aa5300

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 1

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on XU-PC

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 1

Key  : Analysis.Memory.CommitPeak.Mb
Value: 66

Key  : Analysis.System
Value: CreateObject

BUGCHECK_CODE: 109

BUGCHECK_P1: a3a039d8a7a328fd

BUGCHECK_P2: b3b7465efa213a23

BUGCHECK_P3: c0000080

BUGCHECK_P4: 7

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

STACK_TEXT:
fffff88004d08498 0000000000000000 : 0000000000000109 a3a039d8a7a328fd b3b7465efa213a23 00000000c0000080 : nt!KeBugCheckEx

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: BAD_STACK_0x109

OS_VERSION: 7.1.7601.24441

BUILDLAB_STR: win7sp1_ldr

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {b4d7023a-05c3-49b2-3ea4-6240fe57d90e}

Followup: MachineOwner

title says all, when I open the on.bat it just blue screens me but saw no errors on the cmd

Hi,i try use this plugin for bypass antidebug themida (last vershion).
If i start on.bat,then i get BSOD.
I am just starting to learn in drivers so I can't fix it.
Code mistake:WHEA UNCORRECTABLE ERROR
Dump: https://drive.google.com/file/d/1ZZdgCOR3n5V5I8wAcOmC2cUh_cXDttD_/view?usp=sharing

Also i recomended add hook NtQueryLicenseValue.It's can call from ring3 for check test mode(CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners).
You can see mode informathion hear: https://github.com/HyperSine/Windows10-CustomKernelSigners

When i try to compile the latest code, i got a lot of errors, can someone tell me how to fix? thanks for a lot.

Details:
Windows 7 x64 sp1 ( 6.1.7601.24441)
Microsoft Visual Studio Enterprise 2019 version 16.10.2
WDK 10.0.19030.1000

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
minidump.zip

can

you help i am getting that when

When I run on.bat it causes BSOD

Loading Dump File [F:\061221-52203-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff8056cc00000 PsLoadedModuleList = 0xfffff8056d0432b0
Debug session time: Sat Jun 12 13:51:05.767 2021 (UTC + 11:00)
System Uptime: 0 days 16:38:38.687
Loading Kernel Symbols
...............................................................
................................................................
...................................
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff8056cdbc8a0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa2824a02f2d0=0000000000000050
4: kd> !analyze -v

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffba8c0b649900, memory referenced.
Arg2: 0000000000000011, value 0 = read operation, 1 = write operation.
Arg3: ffffba8c0b649900, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)

Debugging Details:

*** WARNING: Unable to verify timestamp for HyperHideDrv.sys

Could not read faulting driver name

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.Sec
Value: 8

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on E5_1

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 34

Key  : Analysis.Memory.CommitPeak.Mb
Value: 70

Key  : Analysis.System
Value: CreateObject

BUGCHECK_CODE: 50

BUGCHECK_P1: ffffba8c0b649900

BUGCHECK_P2: 11

BUGCHECK_P3: ffffba8c0b649900

BUGCHECK_P4: 2

WRITE_ADDRESS: fffff8056d16e3b0: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock
fffff8056d0253b8: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
ffffba8c0b649900

MM_INTERNAL_CODE: 2

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: procexp64.exe

TRAP_FRAME: ffffa2824a02f570 -- (.trap 0xffffa2824a02f570)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000004025 rbx=0000000000000000 rcx=0000000fffffffff
rdx=fffffc7e3f1f8000 rsi=0000000000000000 rdi=0000000000000000
rip=ffffba8c0b649900 rsp=ffffa2824a02f708 rbp=fffff805781a9ea0
r8=0000000000000001 r9=0000000000010fd4 r10=fffffffff4a68134
r11=000000000034bdea r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po nc
ffffba8c0b649900 0300 add eax,dword ptr [rax] ds:0000000000004025=????????
Resetting default scope

STACK_TEXT:
ffffa2824a02f2c8 fffff8056cddfd54 : 0000000000000050 ffffba8c0b649900 0000000000000011 ffffa2824a02f570 : nt!KeBugCheckEx
ffffa2824a02f2d0 fffff8056cc7aaef : 0000000000000000 0000000000000011 0000000000000000 ffffba8c0b649900 : nt!MiSystemFault+0x1d2d64
ffffa2824a02f3d0 fffff8056cdca79a : 0000000000000000 00001f8000000100 0000000000000000 fffff805781a9ebc : nt!MmAccessFault+0x34f
ffffa2824a02f570 ffffba8c0b649900 : 9100000004025025 ffff82812e603000 ffffba8c003de870 000000023ff05000 : nt!KiPageFault+0x35a
ffffa2824a02f708 9100000004025025 : ffff82812e603000 ffffba8c003de870 000000023ff05000 fffff805781a36c2 : 0xffffba8c0b649900 ffffa2824a02f710 ffff82812e603000 : ffffba8c003de870 000000023ff05000 fffff805781a36c2 0000000000000002 : 0x9100000004025025
ffffa2824a02f718 ffffba8c003de870 : 000000023ff05000 fffff805781a36c2 0000000000000002 000000000034be08 : 0xffff82812e603000 ffffa2824a02f720 000000023ff05000 : fffff805781a36c2 0000000000000002 000000000034be08 fffff8056cc01000 : 0xffffba8c003de870
ffffa2824a02f728 fffff805781a36c2 : 0000000000000002 000000000034be08 fffff8056cc01000 ffffba8c0b649900 : 0x000000023ff05000 ffffa2824a02f730 0000000000000002 : 000000000034be08 fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 : HyperHideDrv+0x36c2 ffffa2824a02f738 000000000034be08 : fffff8056cc01000 ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c : 0x2 ffffa2824a02f740 fffff8056cc01000 : ffffba8c0b649900 fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 : 0x34be08 ffffa2824a02f748 ffffba8c0b649900 : fffff805781ac2b0 fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 : nt!SeConvertSecurityDescriptorToStringSecurityDescriptor+0xfffffffffffffff0
ffffa2824a02f750 fffff805781ac2b0 : fffff8056ccdc92c ffffba8c08e71eb0 0000000000000002 0000000000000000 : 0xffffba8c0b649900 ffffa2824a02f758 fffff8056ccdc92c : ffffba8c08e71eb0 0000000000000002 0000000000000000 0000000000000000 : HyperHideDrv+0xc2b0 ffffa2824a02f760 fffff805781a1e10 : ffffba8c003de870 ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 : nt!KeAcquireGuardedMutex+0x1c ffffa2824a02f790 ffffba8c003de870 : ffffba8c0dc8e380 ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 : HyperHideDrv+0x1e10 ffffa2824a02f798 ffffba8c0dc8e380 : ffffba8c08e71eb0 fffff8056cf503a9 0000000000000000 0000000000000000 : 0xffffba8c003de870
ffffa2824a02f7a0 ffffba8c08e71eb0 : fffff8056cf503a9 0000000000000000 0000000000000000 0000000000000000 : 0xffffba8c0dc8e380 ffffa2824a02f7a8 fffff8056cf503a9 : 0000000000000000 0000000000000000 0000000000000000 fffff805781a1489 : 0xffffba8c08e71eb0
ffffa2824a02f7b0 fffff8056cc31cc9 : ffffba8c08e71eb0 0000000000000001 0000000000000001 000000000000020c : nt!_guard_retpoline_exit_indirect_rax+0x9
ffffa2824a02f800 fffff8056d1eb6c5 : ffffa2824a02fb80 ffffba8c08e71eb0 0000000000000001 ffffba8c0b70d690 : nt!IofCallDriver+0x59
ffffa2824a02f840 fffff8056d1eb01a : ffffba8c08e71eb0 ffffa2824a02fb80 000000000022240c ffffa2824a02fb80 : nt!IopSynchronousServiceTail+0x1a5
ffffa2824a02f8e0 fffff8056d1eaa36 : ba8c0d9ed5b0ffed 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x5ca
ffffa2824a02fa20 fffff8056cdcdf98 : 0000000000000001 ffffa2824a02fb00 0000000000000000 ffffa2824a02fa00 : nt!NtDeviceIoControlFile+0x56
ffffa2824a02fa90 00007ffeb4bdc144 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
000000c7ab4ff758 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffe`b4bdc144

SYMBOL_NAME: HyperHideDrv+36c2

MODULE_NAME: HyperHideDrv

IMAGE_NAME: HyperHideDrv.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 36c2

FAILURE_BUCKET_ID: AV_INVALID_HyperHideDrv!unknown_function

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {d37c959a-417f-c891-0472-d90c19d031fc}

Followup: MachineOwner

vmprotect v3.5.0,
any program will prompt as long as virtual machine detection is enabled.
HyperHide->(√)Hypervisor not visible

run on.bat --->ok
then run off.bat ---> BSOD

I've tried multiple times and nothing seems to work. Any suggestions.

cpu Intel(R) Xeon(R) CPU E3-1230 v3 @ 3.30GHz 3.30 GHz
system win10 19044.2006 21H2

https://pastebin.com/dBU3JABH

WDK 10.0.19041.685
SDK 10.0.19041.685

When I run on.bat, I am unable to run the Cheat Engine(7.5) properly. I can see the CE process in the Task Manager, but CE cannot be displayed properly.What should I do?Thank you.

Hello author, this loading driver will have a blue screen. Can you please skip loading the sys driver so that it won't have a blue screen。
Just load HyperHide.dp64 and HyperHide.ini with other plugins, which makes installation much easier!

from this repository: https://github.com/Ahora57/Unabomber

Some software will detect whether the system is in test mode. Can you hide it??

Hi,

some features, CPUID and RDTSC Hooking, are missing in this plugin.

Best regards

DebugView seems to have shown nothing interesting?
i'm sure that i did anything on README. Airhv is fine, but hyperhidedrv can't start.
(windows 11 and patchguard is disabled)

C:\Users\Rodj\Desktop\HyperHide\Scripts>sc start airhv
[SC] StartService: ошибка: 577:

Системе Windows не удается проверить цифровую подпись этого файла. При последнем изменении оборудования или программного обеспечения могла быть произведена установка неправильно подписанного или поврежденного файла либо вредоносной программы неизвестного происхождения.

C:\Users\Rodj\Desktop\HyperHide\Scripts>sc start HyperHideDrv
[SC] StartService: ошибка: 577:

Системе Windows не удается проверить цифровую подпись этого файла. При последнем изменении оборудования или программного обеспечения могла быть произведена установка неправильно подписанного или поврежденного файла либо вредоносной программы неизвестного происхождения.