HyperDbg Debugger
Loading...
Searching...
No Matches
SyscallFootprints.h
Go to the documentation of this file.
1
12#pragma once
13
15// Enums //
17
33
35// Structures //
37
48
79
95
113
124
125typedef NTSTATUS(NTAPI * ZWQUERYSYSTEMINFORMATION)(
126 IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
127 OUT PVOID SystemInformation,
128 IN ULONG SystemInformationLength,
129 OUT PULONG ReturnLength OPTIONAL);
130
131NTSTATUS(*g_NtCreateFileOrig)
132(
133 PHANDLE FileHandle,
134 ACCESS_MASK DesiredAccess,
135 POBJECT_ATTRIBUTES ObjectAttributes,
136 PIO_STATUS_BLOCK IoStatusBlock,
137 PLARGE_INTEGER AllocationSize,
144
146// Globals //
148
153static WORD g_TransparentGenuineVendorStringIndex = 0;
154
159
161// Constants //
163
164#if ActivateHyperEvadeProject == TRUE
165
171static const PCHAR TRANSPARENT_WIN_PROCESS_IGNORE[] = {
172 "winlogon.exe",
173 "wininit.exe",
174 "csrss.exe",
175 "sihost.exe",
176 "explorer.exe",
177};
178
183static const PWCHAR TRANSPARENT_LEGIT_DEVICE_ID_VENDOR_STRINGS_WCHAR[] = {
184 L"VEN_8086", // Intel
185 L"VEN_10DE", // NVIDIA
186 L"VEN_1002", // AMD
187 L"VEN_10EC", // Realtek
188
189};
190
195static const PWCHAR TRANSPARENT_LEGIT_VENDOR_STRINGS_WCHAR[] = {
196 L"ASUS",
197 L"ASUSTeK Computer INC.",
198 L"ASUSTek",
199 L"ASUSTEK COMPUTER INC.",
200
201 // MSI
202 L"Micro-Star International Co., Ltd.",
203 L"MSI",
204 L"MICRO-STAR INTERNATIONAL CO., LTD",
205
206 // Gigabyte
207 L"Gigabyte Technology Co., Ltd.",
208 L"GIGABYTE",
209 L"Gigabyte Technology",
210
211 // ASRock
212 L"ASRock",
213 L"ASRock Incorporation",
214 L"ASRock Inc.",
215
216 // Dell
217 L"Dell Inc.",
218 L"DELL",
219 L"Dell Computer Corporation",
220
221 // HP
222 L"Hewlett-Packard",
223 L"Hewlett Packard",
224 L"HP",
225 L"HP Inc.",
226
227 // Lenovo
228 L"LENOVO",
229 L"Lenovo Group Limited",
230
231 // Intel
232 L"Intel Corporation",
233 L"Intel",
234
235 // EVGA
236 L"EVGA Corporation",
237 L"EVGA",
238};
239
244static const PWCH HV_PROCESSES[] = {
245 L"hyperdbg-cli.exe",
246 L"vboxservice.exe",
247 L"vmsrvc.exe",
248 L"xenservice.exe",
249 L"vm3dservice.exe",
250 L"VGAuthService.exe",
251 L"vmtoolsd.exe",
252 L"vdagent.exe",
253 L"vdservice.exe",
254 L"qemuwmi.exe",
255 L"vboxtray.exe",
256 L"VBoxControl.exe",
257 L"VGAuthService.exe",
258
259 //
260 // Common Debugging Tools
261 //
262 L"ollydbg.exe",
263 L"ollyice.exe",
264 L"ProcessHacker.exe",
265 L"tcpview.exe",
266 L"autoruns.exe",
267 L"autorunsc.exe",
268 L"filemon.exe",
269 L"procmon.exe",
270 L"regmon.exe",
271 L"procexp.exe",
272 L"idaq.exe",
273 L"idaq64.exe",
274 L"ImmunityDebugger.exe",
275 L"Wireshark.exe",
276 L"dumpcap.exe",
277 L"HookExplorer.exe",
278 L"ImportREC.exe",
279 L"PETools.exe",
280 L"LordPE.exe",
281 L"SysInspector.exe",
282 L"proc_analyzer.exe",
283 L"sysAnalyzer.exe",
284 L"sniff_hit.exe",
285 L"windbg.exe",
286 L"joeboxcontrol.exe",
287 L"joeboxserver.exe",
288 L"ResourceHacker.exe",
289 L"x32dbg.exe",
290 L"x64dbg.exe",
291 L"Fiddler.exe",
292 L"httpdebugger.exe",
293 L"cheatengine-i386.exe",
294 L"cheatengine-x86_64.exe",
295 L"cheatengine-x86_64-SSE4-AVX2.exe",
296 L"frida-helper-32.exe",
297 L"frida-helper-64.exe",
298
299};
300
305static const PCHAR HV_DRIVER[] = {
306 "hyperkd",
307 "hyperhv",
308
309 //
310 // Drivers from VBox
311 //
312
313 "VBoxGuest",
314 "VBoxMouse",
315 "VBoxSF",
316
317 //
318 // Drivers from VMWare Tools
319 //
320
321 "vmrawdsk",
322 "giappdef",
323 "glxgi",
324 "vm3dmp",
325 "vm3dmp_loader",
326 "vm3dmp-debug",
327 "vm3dmp-stats",
328 "vmxnet3",
329 "vmxnet",
330 "vnetWFP",
331 "vnetflt",
332 "vsepflt",
333 "pvscsi",
334 "vmmemctl",
335 "vmhgfs",
336 "vmusbmouse",
337 "vmmouse",
338 "vmaudio",
339 "vmci",
340 "vsock",
341
342 //
343 // Hyper-V Drivers
344 //
345
346 "VMBusHID",
347 "vmbus",
348 "vmgid",
349 "IndirectKmd",
350 "HyperVideo",
351 "hyperkbd",
352
353};
354
359static const PWCH HV_FILES[] = {
360
361 //
362 // HyperDbg Files
363 //
364 L"hyperhv",
365 L"hyperkd"
366 L"hyperlog",
367 L"libhyperdbg",
368
369 //
370 // VMware Files
371 //
372 L"vmmouse.sys",
373 L"Vmmouse.sys",
374 L"vmusbmouse.sys",
375 L"Vmusbmouse.sys",
376 L"vm3dgl.dll",
377 L"vmdum.dll",
378 L"VmGuestLibJava.dll",
379 L"vm3dver.dll",
380 L"vmtray.dll",
381 L"VMToolsHook.dll",
382 L"vmGuestLib.dll",
383 L"vmhgfs.dll",
384 L"vmhgfs.sys",
385 L"vm3dum64_loader.dll",
386 L"vm3dum64_10.dll",
387 L"vmnet.sys",
388 L"vmusb.sys",
389 L"vm3dmp.sys",
390 L"vmci.sys",
391 L"vmmemctl.sys",
392 L"vmx86.sys",
393 L"vmrawdsk.sys",
394 L"vmkdb.sys",
395 L"vmnetuserif.sys",
396 L"vmnetadapter.sys",
397 L"VMware Tools",
398 L"VMWare",
399
400 //
401 // VirtualBox Files
402 //
403 L"VBoxMouse.sys",
404 L"VBoxGuest.sys",
405 L"VBoxSF.sys",
406 L"VBoxVideo.sys",
407 L"vboxoglpackspu.dll",
408 L"vboxoglpassthroughspu.dll",
409 L"vboxservice.exe",
410 L"vboxoglcrutil.dll",
411 L"vboxdisp.dll",
412 L"vboxhook.dll",
413 L"vboxmrxnp.dll",
414 L"vboxogl.dll",
415 L"vboxtray.exe",
416 L"VBoxControl.exe",
417 L"vboxoglerrorspu.dll",
418 L"vboxoglfeedbackspu.dll",
419 L"vboxoglarrayspu.dll",
420 L"vboxmrxnp.dll",
421 L"virtualbox guest additions",
422
423 //
424 // KVM files
425 //
426 L"balloon.sys",
427 L"netkvm.sys",
428 L"pvpanic.sys",
429 L"viofs.sys",
430 L"viogpudo.sys",
431 L"vioinput.sys",
432 L"viorng.sys",
433 L"vioscsi.sys",
434 L"vioser.sys",
435 L"viostor.sys",
436
437 //
438 // VPC files
439 //
440 L"vmsrvc.sys",
441 L"vmusrvc.sys",
442 L"vmsrvc.exe",
443 L"vmusrvc.exe",
444 L"vpc-s3.sys",
445 L"Virtio-Win",
446
447 L"qemu-ga",
448 L"SPICE Guest Tools",
449};
450
455static const PWCH HV_DIRS[] = {
456 L"hyperhv",
457 L"VMware Tools",
458 L"Virtio-Win",
459 L"qemu-ga",
460 L"SPICE Guest Tools",
461 L"VMware",
462 L"VMWARE",
463 L"virtualbox guest additions",
464 L"VirtualBox Guest Additions",
465};
466
471static const PWCH HV_REGKEYS[] = {
472
473 //
474 // PCI device vendor id's
475 //
476 // NOTE: These need to stay at the top of the list
477 //
478 L"VEN_80EE",
479 L"VEN_15AD",
480 L"VEN_5333",
481
482 //
483 // Common names
484 //
485 L"Virtual",
486 L"VIRTUAL",
487 L"virtual",
488 L"Hypervisor",
489 L"hypervisor",
490 L"HYPERVISOR",
491
492 //
493 // VMWare
494 //
495 L"VMware Tools",
496 L"VMware, Inc.",
497 L"vmusbmouse",
498 L"VMware",
499 L"VMWARE",
500 L"VMWare",
501 L"vmdebug",
502 L"vmmouse",
503 L"VMTools",
504 L"VMMEMCTL",
505 L"vmware tools",
506 L"VMW0001",
507 L"VMW0002",
508 L"VMW0003",
509
510 L"sandbox",
511 L"Sandboxie",
512
513 //
514 // VirtualBox
515 //
516 L"VirtualBox Guest Additions",
517 L"VBOX__",
518 L"VBoxGuest",
519 L"VBoxMouse",
520 L"VBoxService",
521 L"VBoxSF",
522 L"VBoxVideo",
523 L"VIRTUALBOX",
524 L"SUN MICROSYSTEMS",
525 L"VBOXVER",
526 L"VBOXAPIC",
527 L"INNOTEK GMBH",
528
529 //
530 // QEMU
531 //
532 L"qemu-ga",
533 L"SPICE Guest Tools",
534
535 //
536 // VPC
537 //
538 L"vpcbus",
539 L"vpc-s3",
540 L"vpcuhub",
541 L"msvmmouf",
542 L"Wine",
543 L"xen",
544 L"VIRTUAL MACHINE",
545 L"GOOGLE COMPUTE ENGINE",
546 L"sandbox",
547 L"Sandboxie",
548
549 //
550 // KVM
551 //
552 L"vioscsi",
553 L"viostor",
554 L"VirtIO-FS Service",
555 L"VirtioSerial",
556 L"BALLOON",
557 L"BalloonService",
558 L"netkvm",
559
560};
561
568static const PWCH TRANSPARENT_DETECTABLE_REGISTRY_KEYS[] = {
569 L"AcpiData",
570 L"SMBiosData",
571 L"Identifier",
572 L"SystemBiosVersion",
573 L"VideoBiosVersion",
574 L"ProductID",
575 L"SystemManufacturer",
576 L"SystemProductName",
577 L"DeviceDesc",
578 L"FriendlyName",
579 L"DisplayName",
580 L"ProviderName",
581 L"Device Description",
582 L"BIOSVendor",
583 L"DriverDesc",
584 L"InfSection",
585 L"Service",
586 L"0",
587 L"1",
588 L"00000000",
589};
590
597static const PCHAR HV_FIRM_NAMES[] = {
598 "440BX Desktop Reference Platform",
599 "VMWARE, INC.",
600 "VMware, Inc.",
601 "VMWARE",
602 "VMware",
603 "VMW",
604 "VS2005R2",
605 "VirtualBox",
606 "VIRTUALBOX",
607 "Oracle",
608 "ORACLE",
609 "Innotek",
610 "INNOTEK",
611 "Virtual",
612
613};
614
615#endif
616
618// Functions //
620
621VOID
623
624VOID
626
627VOID
629
630VOID
632
633VOID
635
636VOID
638
639VOID
641
642VOID
644
645VOID
NTSTATUS(NTAPI * ZWQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL)
Definition SyscallFootprints.h:125
struct _SYSTEM_MODULE_ENTRY * PSYSTEM_MODULE_ENTRY
struct _SYSTEM_MODULE_INFORMATION * PSYSTEM_MODULE_INFORMATION
SYSTEM_CALL_NUMBERS_INFORMATION g_SystemCallNumbersInformation
System call numbers information.
Definition SyscallFootprints.h:158
struct _SYSTEM_CODEINTEGRITY_INFORMATION * PSYSTEM_CODEINTEGRITY_INFORMATION
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES ObjectAttributes
Definition SyscallFootprints.h:135
VOID TransparentHandleNtQuerySystemInformationSyscall(GUEST_REGS *Regs)
Handle The NtQuerySystemInformation system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:185
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK IoStatusBlock
Definition SyscallFootprints.h:136
struct _SYSTEM_CODEINTEGRITY_INFORMATION SYSTEM_CODEINTEGRITY_INFORMATION
System Information for Code Integrity.
VOID TransparentHandleNtQueryInformationProcessSyscall(GUEST_REGS *Regs)
Handle The NtQueryInformationProcess system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:476
VOID TransparentHandleNtQueryValueKeySyscall(GUEST_REGS *Regs)
Handle The NtQueryValueKey system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:625
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG FileAttributes
Definition SyscallFootprints.h:138
VOID TransparentHandleNtEnumerateKeySyscall(GUEST_REGS *Regs)
Handle The NtEnumerateKey system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:766
struct _SSDT_STRUCT * PSSDT_STRUCT
struct _SYSTEM_MODULE_ENTRY SYSTEM_MODULE_ENTRY
Module entry.
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER AllocationSize
Definition SyscallFootprints.h:137
PHANDLE FileHandle
Definition SyscallFootprints.h:133
VOID TransparentHandleNtOpenFileSyscall(GUEST_REGS *Regs)
Handle The NtOpenFile system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:504
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ShareAccess
Definition SyscallFootprints.h:139
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG PVOID EaBuffer
Definition SyscallFootprints.h:142
VOID TransparentHandleNtSystemDebugControlSyscall(GUEST_REGS *Regs)
Handle The NtSystemDebugControl system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:449
VOID TransparentHandleNtOpenKeySyscall(GUEST_REGS *Regs)
Handle The NtOpenKey system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:565
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG CreateDisposition
Definition SyscallFootprints.h:140
struct _SYSTEM_MODULE_INFORMATION SYSTEM_MODULE_INFORMATION
System Information for modules.
struct _SYSTEM_PROCESS_INFORMATION * PSYSTEM_PROCESS_INFORMATION
VOID TransparentHandleNtQueryAttributesFileSyscall(GUEST_REGS *Regs)
Handle The NtQueryAttributesFile system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:345
PHANDLE ACCESS_MASK DesiredAccess
Definition SyscallFootprints.h:134
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG CreateOptions
Definition SyscallFootprints.h:141
_SYSTEM_INFORMATION_CLASS
System information class.
Definition SyscallFootprints.h:23
@ SystemFullProcessInformation
Definition SyscallFootprints.h:26
@ SystemKernelDebuggerInformation
Definition SyscallFootprints.h:28
@ SystemFirmwareTableInformation
Definition SyscallFootprints.h:30
@ SystemModuleInformation
Definition SyscallFootprints.h:27
@ SystemCodeIntegrityInformation
Definition SyscallFootprints.h:29
@ SystemProcessInformation
Definition SyscallFootprints.h:24
@ SystemExtendedProcessInformation
Definition SyscallFootprints.h:25
enum _SYSTEM_INFORMATION_CLASS SYSTEM_INFORMATION_CLASS
System information class.
VOID TransparentHandleNtOpenDirectoryObjectSyscall(GUEST_REGS *Regs)
Handle The NtOpenDirectoryObject system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:393
struct _SYSTEM_PROCESS_INFORMATION SYSTEM_PROCESS_INFORMATION
System Information for running processes.
struct _SSDT_STRUCT SSDT_STRUCT
SSDT structure.
PHANDLE ACCESS_MASK POBJECT_ATTRIBUTES PIO_STATUS_BLOCK PLARGE_INTEGER ULONG ULONG ULONG ULONG PVOID ULONG EaLength
Definition SyscallFootprints.h:143
enum _SYSTEM_INFORMATION_CLASS * PSYSTEM_INFORMATION_CLASS
unsigned short UINT16
Definition BasicTypes.h:53
unsigned short WORD
Definition BasicTypes.h:42
long LONG
Definition BasicTypes.h:28
void * PVOID
Definition BasicTypes.h:56
unsigned char BYTE
Definition BasicTypes.h:40
unsigned char UCHAR
Definition BasicTypes.h:34
unsigned long ULONG
Definition BasicTypes.h:31
struct _SYSTEM_CALL_NUMBERS_INFORMATION SYSTEM_CALL_NUMBERS_INFORMATION
Windows System call values that are intercepted by transparency mode.
struct _UNICODE_STRING UNICODE_STRING
SSDT structure.
Definition SyscallFootprints.h:85
PVOID CounterTable
Definition SyscallFootprints.h:87
PCHAR ArgumentTable
Definition SyscallFootprints.h:93
ULONG NumberOfServices
Definition SyscallFootprints.h:91
LONG * ServiceTable
Definition SyscallFootprints.h:86
System Information for Code Integrity.
Definition SyscallFootprints.h:43
ULONG Length
Definition SyscallFootprints.h:44
ULONG CodeIntegrityOptions
Definition SyscallFootprints.h:45
Module entry.
Definition SyscallFootprints.h:101
UINT16 InitOrderIndex
Definition SyscallFootprints.h:108
UINT16 LoadOrderIndex
Definition SyscallFootprints.h:107
UINT16 LoadCount
Definition SyscallFootprints.h:109
ULONG ImageSize
Definition SyscallFootprints.h:105
PVOID MappedBase
Definition SyscallFootprints.h:103
HANDLE Section
Definition SyscallFootprints.h:102
UCHAR FullPathName[256]
Definition SyscallFootprints.h:111
PVOID ImageBase
Definition SyscallFootprints.h:104
ULONG Flags
Definition SyscallFootprints.h:106
UINT16 OffsetToFileName
Definition SyscallFootprints.h:110
System Information for modules.
Definition SyscallFootprints.h:119
ULONG Count
Definition SyscallFootprints.h:120
SYSTEM_MODULE_ENTRY Module[1]
Definition SyscallFootprints.h:121
System Information for running processes.
Definition SyscallFootprints.h:54
PVOID Reserved5
Definition SyscallFootprints.h:70
SIZE_T PagefileUsage
Definition SyscallFootprints.h:74
PVOID Reserved6
Definition SyscallFootprints.h:72
ULONG Reserved4
Definition SyscallFootprints.h:67
SIZE_T PeakVirtualSize
Definition SyscallFootprints.h:65
SIZE_T WorkingSetSize
Definition SyscallFootprints.h:69
SIZE_T VirtualSize
Definition SyscallFootprints.h:66
UNICODE_STRING ImageName
Definition SyscallFootprints.h:58
HANDLE UniqueProcessId
Definition SyscallFootprints.h:60
SIZE_T QuotaPagedPoolUsage
Definition SyscallFootprints.h:71
SIZE_T PeakPagefileUsage
Definition SyscallFootprints.h:75
SIZE_T PeakWorkingSetSize
Definition SyscallFootprints.h:68
BYTE Reserved1[48]
Definition SyscallFootprints.h:57
ULONG NumberOfThreads
Definition SyscallFootprints.h:56
PVOID Reserved3
Definition SyscallFootprints.h:64
SIZE_T PrivatePageCount
Definition SyscallFootprints.h:76
SIZE_T QuotaNonPagedPoolUsage
Definition SyscallFootprints.h:73
KPRIORITY BasePriority
Definition SyscallFootprints.h:59
ULONG NextEntryOffset
Definition SyscallFootprints.h:55
ULONG SessionId
Definition SyscallFootprints.h:63
PVOID Reserved2
Definition SyscallFootprints.h:61
LARGE_INTEGER Reserved7[6]
Definition SyscallFootprints.h:77
ULONG HandleCount
Definition SyscallFootprints.h:62
Definition BasicTypes.h:136