unhide.cpp File Reference

!unhide command More...

#include "pch.h"

Functions
VOID	CommandUnhideHelp ()
	help of the !unhide command
VOID	CommandUnhide (vector< string > SplitCommand, string Command)
	!unhide command handler

Detailed Description

!unhide command

Author

Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)

Version

0.1

Date

2020-07-07

Copyright

This project is released under the GNU Public License v3.

Function Documentation

CommandUnhide()

VOID CommandUnhide	(	vector< string >	SplitCommand,
		string	Command )

!unhide command handler

Parameters

SplitCommand
Command

Returns

VOID

{
    BOOLEAN                                     Status;
    ULONG                                       ReturnedLength;
    DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE UnhideRequest = {0};
 
    if (SplitCommand.size() >= 2)
    {
        ShowMessages("incorrect use of the '!unhide'\n\n");
        CommandUnhideHelp();
        return;
    }
 
    //
    // Check if debugger is loaded or not
    //
    AssertShowMessageReturnStmt(g_DeviceHandle, ASSERT_MESSAGE_DRIVER_NOT_LOADED, AssertReturn);
 
    //
    // We don't wanna hide the debugger and make transparent vm-exits
    //
    UnhideRequest.IsHide = FALSE;
 
    //
    // Send the request to the kernel
    //
    Status = DeviceIoControl(
        g_DeviceHandle,                                             // Handle to device
        IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER, // IO Control
                                                                    // code
        &UnhideRequest,                                             // Input Buffer to driver.
        SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE,         // Input buffer length
        &UnhideRequest,                                             // Output Buffer from driver.
        SIZEOF_DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE,         // Length of output
                                                                    // buffer in bytes.
        &ReturnedLength,                                            // Bytes placed in buffer.
        NULL                                                        // synchronous call
    );
 
    if (!Status)
    {
        ShowMessages("ioctl failed with code 0x%x\n", GetLastError());
        return;
    }
 
    if (UnhideRequest.KernelStatus == DEBUGGER_OPERATION_WAS_SUCCESSFUL)
    {
        ShowMessages("transparent debugging successfully disabled :)\n");
    }
    else if (UnhideRequest.KernelStatus ==
             DEBUGGER_ERROR_DEBUGGER_ALREADY_UHIDE)
    {
        ShowMessages("debugger is not in transparent-mode\n");
    }
    else
    {
        ShowMessages("unknown error occurred :(\n");
    }
}

CommandUnhideHelp()

VOID CommandUnhideHelp

(

)

help of the !unhide command

Returns

VOID

{
    ShowMessages("!unhide : reverts the transparency measures of the '!hide' command.\n\n");
 
    ShowMessages("syntax : \t!unhide\n");
 
    ShowMessages("\n");
    ShowMessages("\t\te.g : !unhide\n");
}