HyperDbg Debugger
Loading...
Searching...
No Matches
HyperDbgHyperEvade.h File Reference

Headers relating exported functions from hyperevade (transparency) module. More...

Go to the source code of this file.

Macros

#define IMPORT_EXPORT_HYPEREVADE   __declspec(dllimport)

Functions

IMPORT_EXPORT_HYPEREVADE BOOLEAN TransparentHideDebugger (HYPEREVADE_CALLBACKS *HyperevadeCallbacks, DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE *TransparentModeRequest)
 Hide debugger on transparent-mode (activate transparent-mode).
IMPORT_EXPORT_HYPEREVADE BOOLEAN TransparentUnhideDebugger ()
 Deactivate transparent-mode.
IMPORT_EXPORT_HYPEREVADE VOID TransparentCheckAndModifyCpuid (PGUEST_REGS Regs, INT32 CpuInfo[])
 Handle Cpuid Vmexits when the Transparent mode is enabled.
IMPORT_EXPORT_HYPEREVADE VOID TransparentCheckAndTrapFlagAfterVmexit ()
 Handle anti-debugging method of a trap flag after a VM exit.
IMPORT_EXPORT_HYPEREVADE BOOLEAN TransparentCheckAndModifyMsrRead (PGUEST_REGS Regs, UINT32 TargetMsr)
 Handle RDMSR VM exits when the Transparent mode is enabled.
IMPORT_EXPORT_HYPEREVADE BOOLEAN TransparentCheckAndModifyMsrWrite (PGUEST_REGS Regs, UINT32 TargetMsr)
 Handle WRMSR VM exits when the Transparent mode is enabled.
IMPORT_EXPORT_HYPEREVADE VOID TransparentHandleSystemCallHook (GUEST_REGS *Regs)
 Handle The triggered hook on KiSystemCall64 system call handler when the Transparency mode is enabled.
IMPORT_EXPORT_HYPEREVADE VOID TransparentCallbackHandleAfterSyscall (GUEST_REGS *Regs, UINT32 ProcessId, UINT32 ThreadId, UINT64 Context, SYSCALL_CALLBACK_CONTEXT_PARAMS *Params)
 Callback function to handle returns from the syscall.

Detailed Description

Headers relating exported functions from hyperevade (transparency) module.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.14
Date
2025-06-07

Macro Definition Documentation

◆ IMPORT_EXPORT_HYPEREVADE

#define IMPORT_EXPORT_HYPEREVADE   __declspec(dllimport)

Function Documentation

◆ TransparentCallbackHandleAfterSyscall()

IMPORT_EXPORT_HYPEREVADE VOID TransparentCallbackHandleAfterSyscall ( GUEST_REGS * Regs,
UINT32 ProcessId,
UINT32 ThreadId,
UINT64 Context,
SYSCALL_CALLBACK_CONTEXT_PARAMS * Params )

Callback function to handle returns from the syscall.

Parameters
RegsThe virtual processor's state of registers
ProcessIdThe process id of the thread
ThreadIdThe thread id of the thread
ContextThe context of the caller
ParamsThe (optional) parameters of the caller
Returns
VOID
1773{
1774 //
1775 // Handle each defined system call separately, after the kernel execution has finished(at the SYSRET instruction)
1776 //
1777
1778 //
1779 // Handle the memory buffer and return code modification after NtQuerySystemInformation system call
1780 //
1781 if (Context == g_SystemCallNumbersInformation.SysNtQuerySystemInformation)
1782 {
1784 }
1785 //
1786 // Handle the memory buffer and return code modification after NtQueryAttributesFile system call
1787 //
1788 else if (Context == g_SystemCallNumbersInformation.SysNtQueryAttributesFile)
1789 {
1790 //
1791 // Check if the obtained buffer pointer is valid
1792 //
1793 if (g_Callbacks.CheckAccessValidityAndSafety(Params->OptionalParam1, sizeof(FILE_BASIC_INFORMATION)))
1794 {
1795 FILE_BASIC_INFORMATION Buf = {0};
1796 //
1797 // Copy over the data from the output buffer pointer
1798 //
1799 if (!g_Callbacks.MemoryMapperReadMemorySafeOnTargetProcess(Params->OptionalParam1, &Buf, sizeof(FILE_BASIC_INFORMATION)))
1800 {
1801 LogError("Err, Virtual memory read failed");
1802 }
1803 else
1804 {
1805 //
1806 // Modify the file attribute to INVALID_FILE_ATTRIBUTES and write it back to the pointer
1807 //
1808 Buf.FileAttributes = ((DWORD)-1);
1809
1810 if (!g_Callbacks.MemoryMapperWriteMemorySafeOnTargetProcess(Params->OptionalParam1, &Buf, sizeof(FILE_BASIC_INFORMATION)))
1811 {
1812 LogError("Err, Virtual memory write failed");
1813 }
1814 }
1815 }
1816 else
1817 {
1818 LogInfo("A call for the NtQueryAttributeFile system call for a marked file was made, but the output buffer was not captured");
1819 }
1820 }
1821
1822 //
1823 // Handle the memory buffer and return code modification after NtOpenDirectoryObject system call.
1824 //
1825 // NOTE: No transparent mitigations of this call have been implemented
1826 //
1827 else if (Context == g_SystemCallNumbersInformation.SysNtOpenDirectoryObject)
1828 {
1829 LogInfo("A NtOpenDirectoryObject system call was made for a known directory that reveals hypervisor presence. process: %x, thread: %x\n",
1830 ProcessId,
1831 ThreadId);
1832 LogInfo("No action to mitigate this was made as a handler for NtOpenDirectoryObject has not been implemented");
1833 }
1834 //
1835 // Handle the memory buffer modification after NtQueryInformationProcess system call
1836 //
1837 else if (Context == g_SystemCallNumbersInformation.SysNtQueryInformationProcess)
1838 {
1839 switch (Params->OptionalParam1)
1840 {
1841 case 0x07:
1842 {
1843 if (g_Callbacks.CheckAccessValidityAndSafety(Params->OptionalParam2, sizeof(DWORD_PTR)))
1844 {
1845 //
1846 // Zero out the return buffer to user-mode
1847 //
1848 DWORD_PTR NoDebugPort = 0x0;
1849
1850 g_Callbacks.MemoryMapperWriteMemorySafeOnTargetProcess(Params->OptionalParam2, &NoDebugPort, sizeof(DWORD_PTR));
1851 }
1852 break;
1853 }
1854 case 0x1f:
1855 {
1856 //
1857 // Zero out the return buffer to user-mode
1858 //
1859 ULONG notDebugged = 0x0;
1860 g_Callbacks.MemoryMapperWriteMemorySafeOnTargetProcess(Params->OptionalParam2, &notDebugged, sizeof(ULONG));
1861 break;
1862 }
1863 case 0x1e:
1864 {
1865 if (g_Callbacks.CheckAccessValidityAndSafety(Params->OptionalParam2, (UINT32)Params->OptionalParam3))
1866 {
1867 LogInfo("Process %llx called the NtQueryInformationProcess system call with the ProcessDebugObject class, no transparent mitigations were performed", ProcessId);
1868 }
1869 break;
1870 }
1871 default:
1872 {
1873 break;
1874 }
1875 }
1876 }
1877 //
1878 // Handle the return code modification after NtSystemDebugControl system call
1879 //
1880 else if (Context == g_SystemCallNumbersInformation.SysNtSystemDebugControl)
1881 {
1882 //
1883 // In the entry handler, the Syscall number was changed to corrupt this call, after the SYSRET, change the return code to STATUS_DEBUGGER_INACTIVE
1884 //
1885 Regs->rax = (UINT64)(UINT32)STATUS_DEBUGGER_INACTIVE;
1886 }
1887
1888 //
1889 // Handle the return code modification after SysNtOpenFile system call
1890 //
1891 else if (Context == g_SystemCallNumbersInformation.SysNtOpenFile)
1892 {
1893 //
1894 // In the entry handler, the Syscall number was changed to corrupt this call if the request was for a known hypervisor file
1895 // after the SYSRET, change the return code to STATUS_OBJECT_NAME_NOT_FOUND
1896 //
1897 Regs->rax = (UINT64)(UINT32)STATUS_OBJECT_NAME_NOT_FOUND;
1898 }
1899
1900 //
1901 // Handle the return code modification after NtNtQueryValueKey system call
1902 //
1903 // NOTE: The transparent mitigation will replace all occurrences of a hypervisor vendor string in the registry
1904 // key data to a randomized real hardware vendor string, no matter the meaning of the key,
1905 // This can cause some keys to produce illogical data, for example,
1906 // a disk drive ID having a vendor string of ASUS even though (as far as I know) ASUS doesn't produce storage devices.
1907 //
1908 else if (Context == g_SystemCallNumbersInformation.SysNtQueryValueKey)
1909 {
1910 UINT64 RetVal;
1911
1912 //
1913 // Call the handler of NtQueryValueKey syscall callback
1914 //
1916
1917 //
1918 // If a custom(Specific to transparency) error code should be returned,
1919 // set it to %RAX
1920 // Else leave it to what the kernel already set it to
1921 //
1922 if (RetVal != 0)
1923 {
1924 Regs->rax = RetVal;
1925 }
1926 }
1927 //
1928 // Handle the memory buffer modification after NtOpenKey system call and its derivatives
1929 //
1930 else if (Context == g_SystemCallNumbersInformation.SysNtOpenKey || Context == g_SystemCallNumbersInformation.SysNtOpenKeyEx)
1931 {
1932 //
1933 // In the entry handler, the Syscall number was changed to corrupt this call if the request was for a known hypervisor registry key
1934 // after the SYSRET, change the return code to STATUS_OBJECT_NAME_NOT_FOUND
1935 //
1936 Regs->rax = (UINT64)(UINT32)STATUS_OBJECT_NAME_NOT_FOUND;
1937 }
1938 else if (Context == g_SystemCallNumbersInformation.SysNtEnumerateKey)
1939 {
1940 UINT64 RetVal;
1941
1942 //
1943 // Call the handler of NtEnumerateKey syscall callback
1944 //
1946
1947 //
1948 // If a custom(Specific to transparency) error code should be returned,
1949 // set it to %RAX
1950 // Else leave it to what the kernel already set it to
1951 //
1952 if (RetVal != 0)
1953 {
1954 Regs->rax = RetVal;
1955 }
1956 }
1957 else
1958 {
1959 //
1960 // A SYSRET trap flag was inserted for a System call that does not have a transparency handler implemented
1961 //
1962 LogInfo("Transparent callback for an unimplemented system call handle with the trap flag for process: %x, thread: %x, context: %llx RAX: %llx (p1: %llx, p2: %llx, p3: %llx, p4: %llx) \n",
1963 ProcessId,
1964 ThreadId,
1965 Context,
1966 Regs->rax,
1967 Params->OptionalParam1,
1968 Params->OptionalParam2,
1969 Params->OptionalParam3,
1970 Params->OptionalParam4);
1971 }
1972}
UINT64 TransparentCallbackHandleAfterNtQueryValueKeySyscall(SYSCALL_CALLBACK_CONTEXT_PARAMS *Params)
Callback function to handle the returns from the NtQueryValueKey syscall.
Definition SyscallFootprints.c:1472
VOID TransparentCallbackHandleAfterNtQuerySystemInformationSyscall(GUEST_REGS *Regs, SYSCALL_CALLBACK_CONTEXT_PARAMS *Params)
Callback function to handle the returns from the NtQuerySystemInformation syscall.
Definition SyscallFootprints.c:1615
UINT64 TransparentCallbackHandleAfterNtEnumerateKeySyscall(SYSCALL_CALLBACK_CONTEXT_PARAMS *Params)
Callback function to handle the returns from the NtEnumerateKey syscall.
Definition SyscallFootprints.c:1554
SYSTEM_CALL_NUMBERS_INFORMATION g_SystemCallNumbersInformation
System call numbers information.
Definition SyscallFootprints.h:158
unsigned long DWORD
Definition BasicTypes.h:38
unsigned int UINT32
Definition BasicTypes.h:54
unsigned long ULONG
Definition BasicTypes.h:31
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113
#define LogInfo(format,...)
Define log variables.
Definition HyperDbgHyperLogIntrinsics.h:71
HYPEREVADE_CALLBACKS g_Callbacks
List of callbacks.
Definition Transparency.h:23
UINT64 OptionalParam4
Definition DataTypes.h:346
UINT64 OptionalParam2
Definition DataTypes.h:344
UINT64 OptionalParam1
Definition DataTypes.h:343
UINT64 OptionalParam3
Definition DataTypes.h:345
UINT64 rax
Definition BasicTypes.h:141

◆ TransparentCheckAndModifyCpuid()

IMPORT_EXPORT_HYPEREVADE VOID TransparentCheckAndModifyCpuid ( PGUEST_REGS Regs,
INT32 CpuInfo[] )

Handle Cpuid Vmexits when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
CpuInfoThe temporary logical processor registers
Returns
VOID
25{
27 {
28 return;
29 }
30
32 {
33 //
34 // Unset the Hypervisor Present-bit in RCX, which Intel and AMD have both
35 // reserved for this indication
36 //
38 }
40 {
41 //
42 // When transparent, all CPUID leaves in the 0x40000000+ range should contain no usable data
43 //
44 CpuInfo[0] = CpuInfo[1] = CpuInfo[2] = CpuInfo[3] = 0x40000000;
45 }
46}
#define HYPERV_CPUID_INTERFACE
Definition Vmx.h:35
#define HYPERV_HYPERVISOR_PRESENT_BIT
Definition Vmx.h:40
#define CPUID_PROCESSOR_AND_PROCESSOR_FEATURE_IDENTIFIERS
CPUID Features.
Definition Constants.h:701
#define TRANSPARENT_EVADE_MASK_CPUID
Definition Constants.h:684
#define CPUID_HV_VENDOR_AND_MAX_FUNCTIONS
The Microsoft Hypervisor interface defined constants.
Definition Constants.h:676
UINT32 g_TransparentEvadeMask
The enabled transparent-mode feature mask.
Definition Transparency.h:72

◆ TransparentCheckAndModifyMsrRead()

IMPORT_EXPORT_HYPEREVADE BOOLEAN TransparentCheckAndModifyMsrRead ( PGUEST_REGS Regs,
UINT32 TargetMsr )

Handle RDMSR VM exits when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
TargetMsrTarget MSR in ECX register
Returns
BOOLEAN Whether the emulation should be further continued or not
58{
60 {
61 UNREFERENCED_PARAMETER(Regs);
62 UNREFERENCED_PARAMETER(TargetMsr);
63
64 return FALSE;
65 }
66
67 //
68 // The MSR range between 40000000H and 400000F0H is reserved and usually used by hypervisors
69 // when the guest operating system is Windows to indicate the OS identifier
70 //
71 // Sina: Needs more investigation since injecting #GP on Nested-virtualization environments
72 // will crash the VM on Meteor Lake processors since the OS expects to use synthetic timers
73 // (HV_REGISTER_STIMER0_CONFIG and HV_REGISTER_STIMER0_COUNT) to receive interrupts
74 // Ref: https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/timers
75 //
76 // if (TargetMsr >= RESERVED_MSR_RANGE_LOW && TargetMsr <= RESERVED_MSR_RANGE_HI)
77 // {
78 // LogInfo("RDMSR attempts to write to a reserved MSR range. MSR: %x",
79 // TargetMsr);
80 //
81 // g_Callbacks.EventInjectGeneralProtection();
82 // return TRUE; // Should not emulate further
83 // }
84 // else
85 // {
86 // //
87 // // Not handled in the transparent-mode
88 // //
89 // return FALSE;
90 // }
91
92 UNREFERENCED_PARAMETER(Regs);
93 UNREFERENCED_PARAMETER(TargetMsr);
94
95 return FALSE;
96}
#define FALSE
Definition BasicTypes.h:113
#define TRANSPARENT_EVADE_MASK_MSR
Definition Constants.h:685

◆ TransparentCheckAndModifyMsrWrite()

IMPORT_EXPORT_HYPEREVADE BOOLEAN TransparentCheckAndModifyMsrWrite ( PGUEST_REGS Regs,
UINT32 TargetMsr )

Handle WRMSR VM exits when the Transparent mode is enabled.

Parameters
RegsThe virtual processor's state of registers
TargetMsrTarget MSR in ECX register
Returns
BOOLEAN Whether the emulation should be further continued or not
108{
110 {
111 UNREFERENCED_PARAMETER(Regs);
112 UNREFERENCED_PARAMETER(TargetMsr);
113
114 return FALSE;
115 }
116
117 // if (TargetMsr >= RESERVED_MSR_RANGE_LOW && TargetMsr <= RESERVED_MSR_RANGE_HI)
118 // {
119 // //
120 // // The MSR range between 40000000H and 400000F0H is reserved and usually used by hypervisors
121 // // when the guest operating system is Windows to indicate the OS identifier
122 // //
123 //
124 // LogInfo("WRMSR attempts to write to a reserved MSR range. MSR: %x, rax: %llx, rdx: %llx",
125 // TargetMsr,
126 // Regs->rax,
127 // Regs->rdx);
128 //
129 // g_Callbacks.EventInjectGeneralProtection();
130 //
131 // return TRUE; // Should not emulate further
132 // }
133 // else
134 // {
135 // //
136 // // Not handled in the transparent-mode
137 // //
138 // return FALSE;
139 // }
140
141 UNREFERENCED_PARAMETER(Regs);
142 UNREFERENCED_PARAMETER(TargetMsr);
143
144 return FALSE;
145}

◆ TransparentCheckAndTrapFlagAfterVmexit()

IMPORT_EXPORT_HYPEREVADE VOID TransparentCheckAndTrapFlagAfterVmexit ( )

Handle anti-debugging method of a trap flag after a VM exit.

Returns
VOID
154{
156 {
157 return;
158 }
159
160 //
161 // If RIP is incremented, then we emulate an instruction, and then
162 // we need to handle the trap flag if it is set in a guest
163 //
164 g_Callbacks.HvHandleTrapFlag();
165}
#define TRANSPARENT_EVADE_MASK_TRAP_FLAG
Definition Constants.h:686

◆ TransparentHandleSystemCallHook()

IMPORT_EXPORT_HYPEREVADE VOID TransparentHandleSystemCallHook ( GUEST_REGS * Regs)

Handle The triggered hook on KiSystemCall64 system call handler when the Transparency mode is enabled.

Parameters
RegsThe virtual processor's state of registers
Returns
VOID
66{
67 //
68 // If the transparent mode is not enabled, do nothing
69 //
71 {
72 return;
73 }
74
75 PCHAR CallingProcess = g_Callbacks.CommonGetProcessNameFromProcessControlBlock(PsGetCurrentProcess());
76 UINT64 Context = Regs->rax;
77
78 //
79 // Skip the transparent mitigations of system calls when the caller process
80 // is a Windows process that should receive unmodified data
81 //
82 for (ULONG i = 0; i < (sizeof(TRANSPARENT_WIN_PROCESS_IGNORE) / sizeof(TRANSPARENT_WIN_PROCESS_IGNORE[0])); i++)
83 {
84 if (strstr(CallingProcess, TRANSPARENT_WIN_PROCESS_IGNORE[i]))
85 {
86 return;
87 }
88 }
89
90 if (Context == g_SystemCallNumbersInformation.SysNtQuerySystemInformation ||
91 Context == g_SystemCallNumbersInformation.SysNtQuerySystemInformationEx)
92 {
93 //
94 // Handle the NtQuerySystemInformation System call
95 //
96
98 }
99 else if (Context == g_SystemCallNumbersInformation.SysNtSystemDebugControl)
100 {
101 //
102 // Handle the NtSystemDebugControl System call
103 //
105 }
106 else if (Context == g_SystemCallNumbersInformation.SysNtQueryAttributesFile)
107 {
108 //
109 // Handle the NtQueryAttributesFile System call
110 //
112 }
113 else if (Context == g_SystemCallNumbersInformation.SysNtOpenDirectoryObject)
114 {
115 //
116 // Handle the NtOpenDirectoryObject System call
117 //
119 }
120 else if (Context == g_SystemCallNumbersInformation.SysNtQueryDirectoryObject)
121 {
122 //
123 // Handle the NtQueryDirectoryObject System call
124 //
125 // TransparentHandleNtQueryDirectoryObjectSyscall(Regs);
126 }
127 else if (Context == g_SystemCallNumbersInformation.SysNtQueryInformationProcess)
128 {
129 //
130 // Handle the NtQueryInformationProcess System call
131 //
133 }
134 else if (Context == g_SystemCallNumbersInformation.SysNtQueryInformationThread)
135 {
136 //
137 // Handle the NtQueryInformationThread System call
138 //
139 // TransparentHandleNtQueryInformationThreadSyscall(Regs);
140 }
141 else if (Context == g_SystemCallNumbersInformation.SysNtOpenFile)
142 {
143 //
144 // Handle the NtOpenFile System call
145 //
147 }
148 else if (Context == g_SystemCallNumbersInformation.SysNtOpenKeyEx || Context == g_SystemCallNumbersInformation.SysNtOpenKey)
149 {
150 //
151 // Handle the NtOpenKey System call
152 //
154 }
155 else if (Context == g_SystemCallNumbersInformation.SysNtQueryValueKey)
156 {
157 //
158 // Handle the NtQueryValueKey System call
159 //
161 }
162 else if (Context == g_SystemCallNumbersInformation.SysNtEnumerateKey)
163 {
164 //
165 // Handle the NtEnumerateKey System call
166 //
168 }
169 else
170 {
171 //
172 // The syscall is not important to us
173 //
174 }
175}
VOID TransparentHandleNtQuerySystemInformationSyscall(GUEST_REGS *Regs)
Handle The NtQuerySystemInformation system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:185
VOID TransparentHandleNtQueryInformationProcessSyscall(GUEST_REGS *Regs)
Handle The NtQueryInformationProcess system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:476
VOID TransparentHandleNtQueryValueKeySyscall(GUEST_REGS *Regs)
Handle The NtQueryValueKey system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:625
VOID TransparentHandleNtEnumerateKeySyscall(GUEST_REGS *Regs)
Handle The NtEnumerateKey system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:766
VOID TransparentHandleNtOpenFileSyscall(GUEST_REGS *Regs)
Handle The NtOpenFile system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:504
VOID TransparentHandleNtSystemDebugControlSyscall(GUEST_REGS *Regs)
Handle The NtSystemDebugControl system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:449
VOID TransparentHandleNtOpenKeySyscall(GUEST_REGS *Regs)
Handle The NtOpenKey system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:565
VOID TransparentHandleNtQueryAttributesFileSyscall(GUEST_REGS *Regs)
Handle The NtQueryAttributesFile system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:345
VOID TransparentHandleNtOpenDirectoryObjectSyscall(GUEST_REGS *Regs)
Handle The NtOpenDirectoryObject system call when the Transparent mode is enabled.
Definition SyscallFootprints.c:393
BOOLEAN g_TransparentMode
Shows whether the debugger transparent mode is enabled (true) or not (false).
Definition Transparency.h:66

◆ TransparentHideDebugger()

IMPORT_EXPORT_HYPEREVADE BOOLEAN TransparentHideDebugger ( HYPEREVADE_CALLBACKS * HyperevadeCallbacks,
DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE * TransparentModeRequest )

Hide debugger on transparent-mode (activate transparent-mode).

Parameters
HyperevadeCallbacksPointer to the HyperEvade callbacks structure
TransparentModeRequestPointer to the transparent debugger mode request
Returns
BOOLEAN
26{
27 UINT32 EvadeMask = TransparentModeRequest->EvadeMask;
28
29 if (EvadeMask == 0)
30 {
32 }
33
34 if ((EvadeMask & ~TRANSPARENT_EVADE_MASK_ALL) != 0)
35 {
37 return FALSE;
38 }
39
40 //
41 // Check if any of the required callbacks are NULL
42 //
43 for (UINT32 i = 0; i < sizeof(HYPEREVADE_CALLBACKS) / sizeof(UINT64); i++)
44 {
45 if (((PVOID *)HyperevadeCallbacks)[i] == NULL)
46 {
47 //
48 // The callback has null entry, so we cannot proceed
49 //
51 return FALSE;
52 }
53 }
54
55 //
56 // Save the callbacks
57 //
58 RtlCopyMemory(&g_Callbacks, HyperevadeCallbacks, sizeof(HYPEREVADE_CALLBACKS));
59
60 //
61 // Check whether the transparent-mode was already initialized or not
62 //
64 {
65 //
66 // Store the system-call numbers information
67 //
69 &TransparentModeRequest->SystemCallNumbersInformation,
71#if ActivateHyperEvadeProject == TRUE
72 //
73 // Choose a random genuine vendor string to replace hypervisor vendor data
74 //
75 g_TransparentGenuineVendorStringIndex = TransparentGetRand() %
76 (sizeof(TRANSPARENT_LEGIT_VENDOR_STRINGS_WCHAR) / sizeof(TRANSPARENT_LEGIT_VENDOR_STRINGS_WCHAR[0]));
77#endif
78
79 //
80 // Enable the transparent mode
81 //
83 g_TransparentEvadeMask = EvadeMask;
84 TransparentModeRequest->EvadeMask = EvadeMask;
85 TransparentModeRequest->KernelStatus = DEBUGGER_OPERATION_WAS_SUCCESSFUL;
86
87 //
88 // Successfully enabled the transparent-mode
89 //
90 return TRUE;
91 }
92 else
93 {
94 TransparentModeRequest->KernelStatus = DEBUGGER_ERROR_DEBUGGER_ALREADY_HIDE;
95 return FALSE;
96 }
97}
UINT32 TransparentGetRand()
Generate a random number by utilizing RDTSC instruction.
Definition Transparency.c:130
void * PVOID
Definition BasicTypes.h:56
#define TRUE
Definition BasicTypes.h:114
#define TRANSPARENT_EVADE_MASK_DEFAULT
Definition Constants.h:689
#define TRANSPARENT_EVADE_MASK_ALL
Definition Constants.h:687
#define DEBUGGER_ERROR_DEBUGGER_ALREADY_HIDE
error, the debugger is already in transparent-mode
Definition ErrorCodes.h:93
#define DEBUGGER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
error, unable to hide the debugger and enter to transparent-mode
Definition ErrorCodes.h:87
#define DEBUGGER_OPERATION_WAS_SUCCESSFUL
General value to indicate that the operation or request was successful.
Definition ErrorCodes.h:23
struct _SYSTEM_CALL_NUMBERS_INFORMATION SYSTEM_CALL_NUMBERS_INFORMATION
Windows System call values that are intercepted by transparency mode.
struct _HYPEREVADE_CALLBACKS HYPEREVADE_CALLBACKS
Prototype of each function needed by hyperevade module.
SYSTEM_CALL_NUMBERS_INFORMATION SystemCallNumbersInformation
Definition RequestStructures.h:611
UINT32 KernelStatus
Definition RequestStructures.h:613
UINT32 EvadeMask
Definition RequestStructures.h:617

◆ TransparentUnhideDebugger()

IMPORT_EXPORT_HYPEREVADE BOOLEAN TransparentUnhideDebugger ( )

Deactivate transparent-mode.

Returns
BOOLEAN
106{
108 {
109 //
110 // Disable the transparent-mode
111 //
114
115 return TRUE;
116 }
117 else
118 {
119 return FALSE;
120 }
121}