HyperDbg Debugger
Loading...
Searching...
No Matches
hide.cpp File Reference

!hide command More...

#include "pch.h"

Functions

VOID CommandHideHelp ()
 help of the !hide command
BOOLEAN CommandHideFillSystemCalls (SYSTEM_CALL_NUMBERS_INFORMATION *SyscallNumberDetails)
 This function is called when the user wants to hide the fill system calls in the transparent mode based on current system call numbers.
BOOLEAN HyperDbgEnableTransparentModeEx (UINT32 ProcessId, CHAR *ProcessName, BOOLEAN IsProcessId, UINT32 EvadeMask)
 Enable transparent mode.
BOOLEAN HyperDbgEnableTransparentMode (UINT32 ProcessId, CHAR *ProcessName, BOOLEAN IsProcessId)
 Enable transparent mode.
VOID CommandHide (vector< CommandToken > CommandTokens, string Command)
 !hide command handler

Variables

BOOLEAN g_IsVmmModuleLoaded
 shows whether the VMM module is loaded or not
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
 State of active debugging thread.

Detailed Description

!hide command

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
jtaw5649
Version
0.1
Date
2020-07-07

Function Documentation

◆ CommandHide()

VOID CommandHide ( vector< CommandToken > CommandTokens,
string Command )

!hide command handler

Parameters
CommandTokens
Command
Returns
VOID
396{
397 UINT32 TargetPid;
398 BOOLEAN TrueIfProcessIdAndFalseIfProcessName;
399
400#if ActivateHyperEvadeProject != TRUE
401
402 ShowMessages("warning, the !hide command (hyperevade project) is in the Beta phase and is not yet well-tested, "
403 "so it is disabled in this version. If you want to test, you can enable it "
404 "from the configuration file (set ActivateHyperEvadeProject to TRUE) and recompile HyperDbg\n\n");
405 return;
406
407#endif
408
409 if (CommandTokens.size() != 1 && CommandTokens.size() != 3)
410 {
411 ShowMessages("incorrect use of the '%s'\n\n",
412 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
414 return;
415 }
416
417 //
418 // Find out whether the user enters pid or name
419 //
420 if (CommandTokens.size() == 1)
421 {
423 {
424 TrueIfProcessIdAndFalseIfProcessName = TRUE;
425 TargetPid = g_ActiveProcessDebuggingState.ProcessId;
426 }
427 else
428 {
429 //
430 // There is no user-debugging process
431 //
432 ShowMessages("you're not attached to any user-mode process, "
433 "please explicitly specify the process id or process name\n\n");
435 return;
436 }
437 }
438 else if (CompareLowerCaseStrings(CommandTokens.at(1), "pid"))
439 {
440 TrueIfProcessIdAndFalseIfProcessName = TRUE;
441
442 //
443 // Check for the user to not add extra arguments
444 //
445 if (CommandTokens.size() != 3)
446 {
447 ShowMessages("incorrect use of the '%s'\n\n",
448 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
450 return;
451 }
452
453 //
454 // It's just a pid for the process
455 //
456 if (!ConvertTokenToUInt32(CommandTokens.at(2), &TargetPid))
457 {
458 ShowMessages("incorrect process id\n\n");
459 return;
460 }
461 }
462 else if (CompareLowerCaseStrings(CommandTokens.at(1), "name"))
463 {
464 TrueIfProcessIdAndFalseIfProcessName = FALSE;
465 }
466 else
467 {
468 //
469 // Invalid argument for the second parameter to the command
470 //
471 ShowMessages("incorrect use of the '%s'\n\n",
472 GetCaseSensitiveStringFromCommandToken(CommandTokens.at(0)).c_str());
474 return;
475 }
476
477 //
478 // Enable the transparent mode
479 //
480 if (TrueIfProcessIdAndFalseIfProcessName)
481 {
483 NULL,
484 TRUE);
485 }
486 else
487 {
489 (CHAR *)GetCaseSensitiveStringFromCommandToken(CommandTokens.at(2)).c_str(),
490 FALSE);
491 }
492}
ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
State of active debugging thread.
Definition globals.h:372
UCHAR BOOLEAN
Definition BasicTypes.h:35
#define TRUE
Definition BasicTypes.h:114
#define FALSE
Definition BasicTypes.h:113
unsigned int UINT32
Definition BasicTypes.h:54
char CHAR
Definition BasicTypes.h:33
std::string GetCaseSensitiveStringFromCommandToken(CommandToken TargetToken)
Get case sensitive string from command token.
Definition common.cpp:467
BOOLEAN CompareLowerCaseStrings(CommandToken TargetToken, const CHAR *StringToCompare)
Compare lower case strings.
Definition common.cpp:503
BOOLEAN ConvertTokenToUInt32(CommandToken TargetToken, PUINT32 Result)
check and convert command token to a 32 bit unsigned integer
Definition common.cpp:546
BOOLEAN HyperDbgEnableTransparentMode(UINT32 ProcessId, CHAR *ProcessName, BOOLEAN IsProcessId)
Enable transparent mode.
Definition hide.cpp:382
VOID CommandHideHelp()
help of the !hide command
Definition hide.cpp:27

◆ CommandHideFillSystemCalls()

BOOLEAN CommandHideFillSystemCalls ( SYSTEM_CALL_NUMBERS_INFORMATION * SyscallNumberDetails)

This function is called when the user wants to hide the fill system calls in the transparent mode based on current system call numbers.

Parameters
SyscallNumberDetails
Returns
BOOLEAN
54{
55 BOOLEAN Result = TRUE;
56
57 //
58 // Get the syscall number of NtQuerySystemInformation
59 //
60 SyscallNumberDetails->SysNtQuerySystemInformation = PeGetSyscallNumber("NtQuerySystemInformation");
61
62 if (SyscallNumberDetails->SysNtQuerySystemInformation == 0)
63 {
64 ShowMessages("warning, failed to get NtQuerySystemInformation syscall number for transparent-mode\n");
65 Result = FALSE;
66 }
67
68 //
69 // Get the syscall number of NtQuerySystemInformationEx
70 //
71 SyscallNumberDetails->SysNtQuerySystemInformationEx = PeGetSyscallNumber("NtQuerySystemInformationEx");
72
73 if (SyscallNumberDetails->SysNtQuerySystemInformationEx == 0)
74 {
75 ShowMessages("warning, failed to get NtQuerySystemInformationEx syscall number for transparent-mode\n");
76 Result = FALSE;
77 }
78
79 //
80 // Get the syscall number of NtSystemDebugControl
81 //
82 SyscallNumberDetails->SysNtSystemDebugControl = PeGetSyscallNumber("NtSystemDebugControl");
83
84 if (SyscallNumberDetails->SysNtSystemDebugControl == 0)
85 {
86 ShowMessages("warning, failed to get NtSystemDebugControl syscall number for transparent-mode\n");
87 Result = FALSE;
88 }
89
90 //
91 // Get the syscall number of NtQueryAttributesFile
92 //
93 SyscallNumberDetails->SysNtQueryAttributesFile = PeGetSyscallNumber("NtQueryAttributesFile");
94
95 if (SyscallNumberDetails->SysNtQueryAttributesFile == 0)
96 {
97 ShowMessages("warning, failed to get NtQueryAttributesFile syscall number for transparent-mode\n");
98 Result = FALSE;
99 }
100
101 //
102 // Get the syscall number of NtOpenDirectoryObject
103 //
104 SyscallNumberDetails->SysNtOpenDirectoryObject = PeGetSyscallNumber("NtOpenDirectoryObject");
105
106 if (SyscallNumberDetails->SysNtOpenDirectoryObject == 0)
107 {
108 ShowMessages("warning, failed to get NtOpenDirectoryObject syscall number for transparent-mode\n");
109 Result = FALSE;
110 }
111
112 //
113 // Get the syscall number of NtQueryDirectoryObject
114 //
115 SyscallNumberDetails->SysNtQueryDirectoryObject = PeGetSyscallNumber("NtQueryDirectoryObject");
116
117 if (SyscallNumberDetails->SysNtQueryDirectoryObject == 0)
118 {
119 ShowMessages("warning, failed to get NtQueryDirectoryObject syscall number for transparent-mode\n");
120 Result = FALSE;
121 }
122
123 //
124 // Get the syscall number of NtQueryInformationProcess
125 //
126 SyscallNumberDetails->SysNtQueryInformationProcess = PeGetSyscallNumber("NtQueryInformationProcess");
127
128 if (SyscallNumberDetails->SysNtQueryInformationProcess == 0)
129 {
130 ShowMessages("warning, failed to get NtQueryInformationProcess syscall number for transparent-mode\n");
131 Result = FALSE;
132 }
133
134 //
135 // Get the syscall number of NtSetInformationProcess
136 //
137 SyscallNumberDetails->SysNtSetInformationProcess = PeGetSyscallNumber("NtSetInformationProcess");
138
139 if (SyscallNumberDetails->SysNtSetInformationProcess == 0)
140 {
141 ShowMessages("warning, failed to get NtSetInformationProcess syscall number for transparent-mode\n");
142 Result = FALSE;
143 }
144
145 //
146 // Get the syscall number of NtQueryInformationThread
147 //
148 SyscallNumberDetails->SysNtQueryInformationThread = PeGetSyscallNumber("NtQueryInformationThread");
149
150 if (SyscallNumberDetails->SysNtQueryInformationThread == 0)
151 {
152 ShowMessages("warning, failed to get NtQueryInformationThread syscall number for transparent-mode\n");
153 Result = FALSE;
154 }
155
156 //
157 // Get the syscall number of NtSetInformationThread
158 //
159 SyscallNumberDetails->SysNtSetInformationThread = PeGetSyscallNumber("NtSetInformationThread");
160
161 if (SyscallNumberDetails->SysNtSetInformationThread == 0)
162 {
163 ShowMessages("warning, failed to get NtSetInformationThread syscall number for transparent-mode\n");
164 Result = FALSE;
165 }
166
167 //
168 // Get the syscall number of NtOpenFile
169 //
170 SyscallNumberDetails->SysNtOpenFile = PeGetSyscallNumber("NtOpenFile");
171
172 if (SyscallNumberDetails->SysNtOpenFile == 0)
173 {
174 ShowMessages("warning, failed to get NtOpenFile syscall number for transparent-mode\n");
175 Result = FALSE;
176 }
177
178 //
179 // Get the syscall number of NtOpenKey
180 //
181 SyscallNumberDetails->SysNtOpenKey = PeGetSyscallNumber("NtOpenKey");
182
183 if (SyscallNumberDetails->SysNtOpenKey == 0)
184 {
185 ShowMessages("warning, failed to get NtOpenKey syscall number for transparent-mode\n");
186 Result = FALSE;
187 }
188
189 //
190 // Get the syscall number of NtOpenKeyEx
191 //
192 SyscallNumberDetails->SysNtOpenKeyEx = PeGetSyscallNumber("NtOpenKeyEx");
193
194 if (SyscallNumberDetails->SysNtOpenKeyEx == 0)
195 {
196 ShowMessages("warning, failed to get NtOpenKeyEx syscall number for transparent-mode\n");
197 Result = FALSE;
198 }
199
200 //
201 // Get the syscall number of NtQueryValueKey
202 //
203 SyscallNumberDetails->SysNtQueryValueKey = PeGetSyscallNumber("NtQueryValueKey");
204
205 if (SyscallNumberDetails->SysNtQueryValueKey == 0)
206 {
207 ShowMessages("warning, failed to get NtQueryValueKey syscall number for transparent-mode\n");
208 Result = FALSE;
209 }
210
211 //
212 // Get the syscall number of NtEnumerateKey
213 //
214 SyscallNumberDetails->SysNtEnumerateKey = PeGetSyscallNumber("NtEnumerateKey");
215
216 if (SyscallNumberDetails->SysNtEnumerateKey == 0)
217 {
218 ShowMessages("warning, failed to get NtEnumerateKey syscall number for transparent-mode\n");
219 Result = FALSE;
220 }
221
222 return Result;
223}
UINT32 PeGetSyscallNumber(LPCSTR NtFunctionName)
Get the syscall number of a given Nt function.
Definition pe-parser.cpp:4606
UINT32 SysNtQueryInformationProcess
Definition RequestStructures.h:576
UINT32 SysNtQueryAttributesFile
Definition RequestStructures.h:573
UINT32 SysNtQueryValueKey
Definition RequestStructures.h:583
UINT32 SysNtOpenKey
Definition RequestStructures.h:581
UINT32 SysNtOpenKeyEx
Definition RequestStructures.h:582
UINT32 SysNtQueryDirectoryObject
Definition RequestStructures.h:575
UINT32 SysNtOpenDirectoryObject
Definition RequestStructures.h:574
UINT32 SysNtQuerySystemInformationEx
Definition RequestStructures.h:570
UINT32 SysNtOpenFile
Definition RequestStructures.h:580
UINT32 SysNtSetInformationThread
Definition RequestStructures.h:579
UINT32 SysNtSetInformationProcess
Definition RequestStructures.h:577
UINT32 SysNtEnumerateKey
Definition RequestStructures.h:584
UINT32 SysNtQuerySystemInformation
Definition RequestStructures.h:569
UINT32 SysNtQueryInformationThread
Definition RequestStructures.h:578
UINT32 SysNtSystemDebugControl
Definition RequestStructures.h:572

◆ CommandHideHelp()

VOID CommandHideHelp ( )

help of the !hide command

Returns
VOID
28{
29 ShowMessages("!hide : tries to make HyperDbg transparent from anti-debugging "
30 "and anti-hypervisor methods.\n\n");
31
32 ShowMessages("syntax : \t!hide\n");
33 ShowMessages("syntax : \t!hide [pid ProcessId (hex)]\n");
34 ShowMessages("syntax : \t!hide [name ProcessName (string)]\n");
35
36 ShowMessages("note : \tprocess names are case sensitive and you can use "
37 "this command multiple times.\n");
38
39 ShowMessages("\n");
40 ShowMessages("\t\te.g : !hide\n");
41 ShowMessages("\t\te.g : !hide pid b60 \n");
42 ShowMessages("\t\te.g : !hide name procexp.exe\n");
43}

◆ HyperDbgEnableTransparentMode()

BOOLEAN HyperDbgEnableTransparentMode ( UINT32 ProcessId,
CHAR * ProcessName,
BOOLEAN IsProcessId )

Enable transparent mode.

Parameters
ProcessId
ProcessName
IsProcessId
Returns
BOOLEAN
383{
384 return HyperDbgEnableTransparentModeEx(ProcessId, ProcessName, IsProcessId, 0);
385}
BOOLEAN HyperDbgEnableTransparentModeEx(UINT32 ProcessId, CHAR *ProcessName, BOOLEAN IsProcessId, UINT32 EvadeMask)
Enable transparent mode.
Definition hide.cpp:235

◆ HyperDbgEnableTransparentModeEx()

BOOLEAN HyperDbgEnableTransparentModeEx ( UINT32 ProcessId,
CHAR * ProcessName,
BOOLEAN IsProcessId,
UINT32 EvadeMask )

Enable transparent mode.

Parameters
ProcessId
ProcessName
IsProcessId
EvadeMask
Returns
BOOLEAN
236{
237 BOOLEAN Status;
238 ULONG ReturnedLength;
241 SIZE_T RequestBufferSize = 0;
242 UINT32 EffectiveEvadeMask = EvadeMask == 0 ? TRANSPARENT_EVADE_MASK_DEFAULT : EvadeMask;
243
244 //
245 // Check if debugger is loaded or not
246 //
247 // AssertShowMessageReturnStmt(g_IsVmmModuleLoaded, g_DeviceHandle, ASSERT_MESSAGE_VMM_NOT_LOADED, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturnFalse);
248
249 //
250 // We wanna hide the debugger and make transparent vm-exits
251 //
252 if ((EffectiveEvadeMask & ~TRANSPARENT_EVADE_MASK_ALL) != 0)
253 {
254 ShowMessages("unknown transparent-mode evade mask bits\n");
255 return FALSE;
256 }
257
258 HideRequest.IsHide = TRUE;
259 HideRequest.EvadeMask = EffectiveEvadeMask;
260
261 HideRequest.TrueIfProcessIdAndFalseIfProcessName = IsProcessId;
262
263 if (IsProcessId)
264 {
265 //
266 // It's a process id
267 //
268 HideRequest.ProcId = (UINT32)ProcessId;
269
270 RequestBufferSize = sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE);
271 }
272 else
273 {
274 //
275 // It's a process name
276 //
277 HideRequest.LengthOfProcessName = (UINT32)strlen(ProcessName) + 1;
278 RequestBufferSize = sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE) + HideRequest.LengthOfProcessName;
279 }
280
281 if ((EffectiveEvadeMask & TRANSPARENT_EVADE_MASK_SYSCALL_HOOK) != 0 &&
283 {
284 ShowMessages("warning, failed to resolve one or more syscall numbers for transparent-mode\n");
285 return FALSE;
286 }
287
288 //
289 // Allocate the requested buffer
290 //
291 FinalRequestBuffer = (PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE)malloc(RequestBufferSize);
292
293 if (FinalRequestBuffer == NULL)
294 {
295 ShowMessages("insufficient space\n");
296 return FALSE;
297 }
298
299 //
300 // Zero the memory
301 //
302 RtlZeroMemory(FinalRequestBuffer, RequestBufferSize);
303
304 //
305 // Copy the buffer on the top of the final buffer
306 // to send the kernel
307 //
308 memcpy(FinalRequestBuffer, &HideRequest, sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE));
309
310 //
311 // If it's a name then we should add it to the end of the buffer
312 //
313 if (!IsProcessId)
314 {
315 CHAR * ProcName = ProcessName;
316
317 memcpy(((UINT64 *)((UINT64)FinalRequestBuffer + sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE))),
318 ProcName,
319 HideRequest.LengthOfProcessName);
320 }
321
322 //
323 // Send the request to the kernel
324 //
325 Status = DeviceIoControl(
326 g_DeviceHandle, // Handle to device
328 // code
329 FinalRequestBuffer, // Input Buffer to driver.
330 (DWORD)RequestBufferSize, // Input buffer length
331 FinalRequestBuffer, // Output Buffer from driver.
333 // buffer in bytes.
334 &ReturnedLength, // Bytes placed in buffer.
335 NULL // synchronous call
336 );
337
338 if (!Status)
339 {
340 ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
341 free(FinalRequestBuffer);
342 return FALSE;
343 }
344
345 if (FinalRequestBuffer->KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
346 {
347 ShowMessages("transparent debugging successfully enabled :)\n");
348 }
350 {
351 ShowMessages("unable to hide the debugger (transparent-debugging) :(\n");
352 free(FinalRequestBuffer);
353 return FALSE;
354 }
355 else
356 {
357 ShowMessages("unknown error occurred :(\n");
358 free(FinalRequestBuffer);
359 return FALSE;
360 }
361
362 //
363 // free the buffer
364 //
365 free(FinalRequestBuffer);
366
367 //
368 // It means the transparent mode enabled successfully
369 //
370 return TRUE;
371}
unsigned long DWORD
Definition BasicTypes.h:38
unsigned long ULONG
Definition BasicTypes.h:31
#define TRANSPARENT_EVADE_MASK_DEFAULT
Definition Constants.h:689
#define TRANSPARENT_EVADE_MASK_SYSCALL_HOOK
Transparent-mode feature mask.
Definition Constants.h:683
#define TRANSPARENT_EVADE_MASK_ALL
Definition Constants.h:687
#define DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
error, unable to hide the debugger and enter to transparent-mode
Definition ErrorCodes.h:87
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
#define IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER
ioctl, request to enable or disable transparent-mode
Definition Ioctls.h:178
struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE * PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
#define SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
Definition RequestStructures.h:588
struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE
request for enable or disable transparent-mode
BOOLEAN CommandHideFillSystemCalls(SYSTEM_CALL_NUMBERS_INFORMATION *SyscallNumberDetails)
This function is called when the user wants to hide the fill system calls in the transparent mode bas...
Definition hide.cpp:53
HANDLE g_DeviceHandle
Holds the global handle of device which is used to send the request to the kernel by IOCTL,...
Definition globals.h:481
SYSTEM_CALL_NUMBERS_INFORMATION SystemCallNumbersInformation
Definition RequestStructures.h:611
UINT32 KernelStatus
Definition RequestStructures.h:613
BOOLEAN IsHide
Definition RequestStructures.h:597
UINT32 EvadeMask
Definition RequestStructures.h:617
UINT32 LengthOfProcessName
Definition RequestStructures.h:609
BOOLEAN TrueIfProcessIdAndFalseIfProcessName
Definition RequestStructures.h:607
UINT32 ProcId
Definition RequestStructures.h:608

Variable Documentation

◆ g_ActiveProcessDebuggingState

ACTIVE_DEBUGGING_PROCESS g_ActiveProcessDebuggingState
extern

State of active debugging thread.

372{0};

◆ g_IsVmmModuleLoaded

BOOLEAN g_IsVmmModuleLoaded
extern

shows whether the VMM module is loaded or not