|
HyperDbg Debugger
|
Try to hide SYSCALL methods from anti-debugging and anti-hypervisor. More...
#include "pch.h"Functions | |
| VOID | TransparentHandleSystemCallHook (GUEST_REGS *Regs) |
| Handle The triggered hook on KiSystemCall64 system call handler when the Transparency mode is enabled. | |
| VOID | TransparentHandleNtQuerySystemInformationSyscall (GUEST_REGS *Regs) |
| Handle The NtQuerySystemInformation system call when the Transparent mode is enabled. | |
| PVOID | TransparentGetObjectNameFromAttributesVirtualPointer (UINT64 virtPtr) |
| Obtain a copy of the PWCHAR wide character string from a OBJECT_ATTRIBUTES structure at a guest virtual address. | |
| VOID | TransparentHandleNtQueryAttributesFileSyscall (GUEST_REGS *Regs) |
| Handle The NtQueryAttributesFile system call when the Transparent mode is enabled. | |
| VOID | TransparentHandleNtOpenDirectoryObjectSyscall (GUEST_REGS *Regs) |
| Handle The NtOpenDirectoryObject system call when the Transparent mode is enabled. | |
| VOID | TransparentHandleNtSystemDebugControlSyscall (GUEST_REGS *Regs) |
| Handle The NtSystemDebugControl system call when the Transparent mode is enabled. | |
| VOID | TransparentHandleNtQueryInformationProcessSyscall (GUEST_REGS *Regs) |
| Handle The NtQueryInformationProcess system call when the Transparent mode is enabled. | |
| VOID | TransparentHandleNtOpenFileSyscall (GUEST_REGS *Regs) |
| Handle The NtOpenFile system call when the Transparent mode is enabled. | |
| VOID | TransparentHandleNtOpenKeySyscall (GUEST_REGS *Regs) |
| Handle The NtOpenKey system call when the Transparent mode is enabled. | |
| VOID | TransparentHandleNtQueryValueKeySyscall (GUEST_REGS *Regs) |
| Handle The NtQueryValueKey system call when the Transparent mode is enabled. | |
| VOID | TransparentHandleNtEnumerateKeySyscall (GUEST_REGS *Regs) |
| Handle The NtEnumerateKey system call when the Transparent mode is enabled. | |
| BOOLEAN | TransparentHandleModuleInformationQuery (PVOID Ptr, UINT64 VirtualAddress, UINT32 BufferSize) |
| Handle the request for SystemModuleInformation. | |
| BOOLEAN | TransparentHandleProcessInformationQuery (SYSCALL_CALLBACK_CONTEXT_PARAMS *Params) |
| Handle the request for SystemProcessInformation. | |
| UINT64 | TransparentHandleFirmwareInformationQuery (UINT64 Ptr, UINT32 BufMaxSize, UINT64 BufSizePtr) |
| Handle the request for SystemFirmwareTableInformation. | |
| UINT64 | TransparentReplaceVendorStringFromBufferWChar (SYSCALL_CALLBACK_CONTEXT_PARAMS *Params, ULONG DataOffset, ULONG DataLenOffset) |
| Replace occurrences of a hypervisor specific strings with legitimate vendor strings in a provided buffer. | |
| UINT64 | TransparentCallbackHandleAfterNtQueryValueKeySyscall (SYSCALL_CALLBACK_CONTEXT_PARAMS *Params) |
| Callback function to handle the returns from the NtQueryValueKey syscall. | |
| UINT64 | TransparentCallbackHandleAfterNtEnumerateKeySyscall (SYSCALL_CALLBACK_CONTEXT_PARAMS *Params) |
| Callback function to handle the returns from the NtEnumerateKey syscall. | |
| VOID | TransparentCallbackHandleAfterNtQuerySystemInformationSyscall (GUEST_REGS *Regs, SYSCALL_CALLBACK_CONTEXT_PARAMS *Params) |
| Callback function to handle the returns from the NtQuerySystemInformation syscall. | |
| VOID | TransparentCallbackHandleAfterSyscall (GUEST_REGS *Regs, UINT32 ProcessId, UINT32 ThreadId, UINT64 Context, SYSCALL_CALLBACK_CONTEXT_PARAMS *Params) |
| Callback function to handle returns from the syscall. | |
Try to hide SYSCALL methods from anti-debugging and anti-hypervisor.
| UINT64 TransparentCallbackHandleAfterNtEnumerateKeySyscall | ( | SYSCALL_CALLBACK_CONTEXT_PARAMS * | Params | ) |
Callback function to handle the returns from the NtEnumerateKey syscall.
| Params | The set transparent callback params that contain: in OptionalParam1 the KEY_VALUE_INFORMATION_CLASS enum value in OptionalParam2 a pointer to a valid read/writable memory buffer that contains both, a WCHAR string and its length in bytes in OptionalParam3 max size in bytes of the allocated buffer in OptionalParam4 a pointer to a ULONG containing current size of the buffer |
| VOID TransparentCallbackHandleAfterNtQuerySystemInformationSyscall | ( | GUEST_REGS * | Regs, |
| SYSCALL_CALLBACK_CONTEXT_PARAMS * | Params ) |
Callback function to handle the returns from the NtQuerySystemInformation syscall.
| Regs | The virtual processor's state of registers |
| Params | The (optional) parameters of the caller |
| UINT64 TransparentCallbackHandleAfterNtQueryValueKeySyscall | ( | SYSCALL_CALLBACK_CONTEXT_PARAMS * | Params | ) |
Callback function to handle the returns from the NtQueryValueKey syscall.
| Params | The set transparent callback params that contain: in OptionalParam1 the KEY_VALUE_INFORMATION_CLASS enum value in OptionalParam2 a pointer to a valid read/writable memory buffer that contains both, a WCHAR string and its length in bytes in OptionalParam3 max size in bytes of the allocated buffer in OptionalParam4 a pointer to a ULONG containing current size of the buffer |
| VOID TransparentCallbackHandleAfterSyscall | ( | GUEST_REGS * | Regs, |
| UINT32 | ProcessId, | ||
| UINT32 | ThreadId, | ||
| UINT64 | Context, | ||
| SYSCALL_CALLBACK_CONTEXT_PARAMS * | Params ) |
Callback function to handle returns from the syscall.
| Regs | The virtual processor's state of registers |
| ProcessId | The process id of the thread |
| ThreadId | The thread id of the thread |
| Context | The context of the caller |
| Params | The (optional) parameters of the caller |
| PVOID TransparentGetObjectNameFromAttributesVirtualPointer | ( | UINT64 | virtPtr | ) |
Obtain a copy of the PWCHAR wide character string from a OBJECT_ATTRIBUTES structure at a guest virtual address.
Returns an allocated tagged memory pointer which needs to be freed with PlatformMemFreePool()
| virtPtr | A pointer to a guest virtual memory address, containing a OBJECT_ATTRIBUTES structure |
| UINT64 TransparentHandleFirmwareInformationQuery | ( | UINT64 | Ptr, |
| UINT32 | BufMaxSize, | ||
| UINT64 | BufSizePtr ) |
Handle the request for SystemFirmwareTableInformation.
| Ptr | The pointer to a valid read/writable SYSTEM_FIRMWARE_TABLE_INFORMATION memory buffer |
| BufMaxSize | The size of the allocated user-mode buffer |
| BufSizePtr | A pointer to a ULONG field containing the size of the written data |
| BOOLEAN TransparentHandleModuleInformationQuery | ( | PVOID | Ptr, |
| UINT64 | VirtualAddress, | ||
| UINT32 | BufferSize ) |
Handle the request for SystemModuleInformation.
This function removes entries from a list of system drivers that could reveal the presence of hypervisors This depends on an incomplete list HV_DRIVER, of known hypervisor drivers The revealing list entries are removed and overwritten, but the memory buffer is not reallocated, so it is possible to still detect that some tampering was done from the user space
| Ptr | The pointer to a valid read/writable SYSTEM_MODULE_INFORMATION memory buffer |
| VirtualAddress | A pointer to a user-mode virtual address |
| BufferSize | Size of the user-mode buffer |
| VOID TransparentHandleNtEnumerateKeySyscall | ( | GUEST_REGS * | Regs | ) |
Handle The NtEnumerateKey system call when the Transparent mode is enabled.
| Regs | The virtual processor's state of registers |
| VOID TransparentHandleNtOpenDirectoryObjectSyscall | ( | GUEST_REGS * | Regs | ) |
Handle The NtOpenDirectoryObject system call when the Transparent mode is enabled.
| Regs | The virtual processor's state of registers |
| VOID TransparentHandleNtOpenFileSyscall | ( | GUEST_REGS * | Regs | ) |
Handle The NtOpenFile system call when the Transparent mode is enabled.
| Regs | The virtual processor's state of registers |
| VOID TransparentHandleNtOpenKeySyscall | ( | GUEST_REGS * | Regs | ) |
Handle The NtOpenKey system call when the Transparent mode is enabled.
| Regs | The virtual processor's state of registers |
| VOID TransparentHandleNtQueryAttributesFileSyscall | ( | GUEST_REGS * | Regs | ) |
Handle The NtQueryAttributesFile system call when the Transparent mode is enabled.
| Regs | The virtual processor's state of registers |
| VOID TransparentHandleNtQueryInformationProcessSyscall | ( | GUEST_REGS * | Regs | ) |
Handle The NtQueryInformationProcess system call when the Transparent mode is enabled.
| Regs | The virtual processor's state of registers |
| VOID TransparentHandleNtQuerySystemInformationSyscall | ( | GUEST_REGS * | Regs | ) |
Handle The NtQuerySystemInformation system call when the Transparent mode is enabled.
| Regs | The virtual processor's state of registers |
| VOID TransparentHandleNtQueryValueKeySyscall | ( | GUEST_REGS * | Regs | ) |
Handle The NtQueryValueKey system call when the Transparent mode is enabled.
| Regs | The virtual processor's state of registers |
| VOID TransparentHandleNtSystemDebugControlSyscall | ( | GUEST_REGS * | Regs | ) |
Handle The NtSystemDebugControl system call when the Transparent mode is enabled.
| Regs | The virtual processor's state of registers |
| BOOLEAN TransparentHandleProcessInformationQuery | ( | SYSCALL_CALLBACK_CONTEXT_PARAMS * | Params | ) |
Handle the request for SystemProcessInformation.
This function removes entries from a list of active system processes that could reveal the presence of hypervisors
| Params | Preset transparent callback params that contain: in OptionalParam2 a pointer to a valid read/writable memory buffer that contains a SYSTEM_PROCESS_INFORMATION structure in OptionalParam3 max size in bytes of the allocated buffer |
| VOID TransparentHandleSystemCallHook | ( | GUEST_REGS * | Regs | ) |
Handle The triggered hook on KiSystemCall64 system call handler when the Transparency mode is enabled.
| Regs | The virtual processor's state of registers |
| UINT64 TransparentReplaceVendorStringFromBufferWChar | ( | SYSCALL_CALLBACK_CONTEXT_PARAMS * | Params, |
| ULONG | DataOffset, | ||
| ULONG | DataLenOffset ) |
Replace occurrences of a hypervisor specific strings with legitimate vendor strings in a provided buffer.
| Params | Set transparent callback params that contain: in OptionalParam2 a pointer to a valid read/writable memory buffer that contains both, a WCHAR string and its length in bytes in OptionalParam3 max size in bytes of the allocated buffer in OptionalParam4 a pointer to a ULONG containing current size of the buffer |
| DataOffset | Offset in bytes from OptionalParam2 to the start of the WCHAR data string |
| DataLenOffset | Offset in bytes from OptionalParam2 to a ULONG containing the string length(in bytes) |