├── .gitattributes
├── .gitignore
├── .gitmodules
├── HyperHide.ini
├── HyperHide.sln
├── HyperHide
├── HyperHide.vcxproj
├── HyperHide.vcxproj.filters
├── HyperHide.vcxproj.user
├── HyperHideDrv.cpp
├── HyperHideDrv.h
├── HyperHideIcon.png
├── IniApi.cpp
├── IniApi.h
├── Ioctl.h
├── Settings.cpp
├── Settings.h
├── Tooltips.cpp
├── Tooltips.h
├── pluginconfig.h
├── pluginmain.cpp
├── pluginmain.h
├── pluginsdk
│ ├── DeviceNameResolver
│ │ ├── DeviceNameResolver.h
│ │ ├── DeviceNameResolver_x64.a
│ │ ├── DeviceNameResolver_x64.lib
│ │ ├── DeviceNameResolver_x86.a
│ │ └── DeviceNameResolver_x86.lib
│ ├── TitanEngine
│ │ ├── TitanEngine.h
│ │ ├── TitanEngine_x64.a
│ │ ├── TitanEngine_x64.lib
│ │ ├── TitanEngine_x86.a
│ │ └── TitanEngine_x86.lib
│ ├── XEDParse
│ │ ├── XEDParse.h
│ │ ├── XEDParse_x64.a
│ │ ├── XEDParse_x64.lib
│ │ ├── XEDParse_x86.a
│ │ └── XEDParse_x86.lib
│ ├── _dbgfunctions.h
│ ├── _plugin_types.h
│ ├── _plugins.h
│ ├── _scriptapi.h
│ ├── _scriptapi_argument.h
│ ├── _scriptapi_assembler.h
│ ├── _scriptapi_bookmark.h
│ ├── _scriptapi_comment.h
│ ├── _scriptapi_debug.h
│ ├── _scriptapi_flag.h
│ ├── _scriptapi_function.h
│ ├── _scriptapi_gui.h
│ ├── _scriptapi_label.h
│ ├── _scriptapi_memory.h
│ ├── _scriptapi_misc.h
│ ├── _scriptapi_module.h
│ ├── _scriptapi_pattern.h
│ ├── _scriptapi_register.h
│ ├── _scriptapi_stack.h
│ ├── _scriptapi_symbol.h
│ ├── bridgegraph.h
│ ├── bridgelist.h
│ ├── bridgemain.h
│ ├── dbghelp
│ │ ├── dbghelp.h
│ │ ├── dbghelp_x64.a
│ │ ├── dbghelp_x64.lib
│ │ ├── dbghelp_x86.a
│ │ └── dbghelp_x86.lib
│ ├── jansson
│ │ ├── jansson.h
│ │ ├── jansson_config.h
│ │ ├── jansson_x64.a
│ │ ├── jansson_x64.lib
│ │ ├── jansson_x64dbg.h
│ │ ├── jansson_x86.a
│ │ └── jansson_x86.lib
│ ├── lz4
│ │ ├── lz4.h
│ │ ├── lz4_x64.a
│ │ ├── lz4_x64.lib
│ │ ├── lz4_x86.a
│ │ ├── lz4_x86.lib
│ │ ├── lz4file.h
│ │ └── lz4hc.h
│ ├── x32bridge.lib
│ ├── x32dbg.lib
│ ├── x64bridge.lib
│ └── x64dbg.lib
├── resource.h
└── resource.rc
├── HyperHideDrv
├── Dispatcher.cpp
├── Dispatcher.h
├── Driver.cpp
├── GlobalData.h
├── Heap.cpp
├── Heap.h
├── Hider.cpp
├── Hider.h
├── HookHelper.cpp
├── HookHelper.h
├── HookedFunctions.cpp
├── HookedFunctions.h
├── HyperHideDrv.vcxproj
├── HyperHideDrv.vcxproj.filters
├── HypervisorGateway.cpp
├── HypervisorGateway.h
├── Ioctl.h
├── KuserSharedData.cpp
├── KuserSharedData.h
├── Log.cpp
├── Log.h
├── Notifiers.cpp
├── Notifiers.h
├── Ntapi.h
├── Ntenums.h
├── Ntstructs.h
├── Peb.cpp
├── Peb.h
├── Pte.h
├── Ssdt.cpp
├── Ssdt.h
├── Utils.cpp
├── Utils.h
├── vmintrin.asm
└── vmintrin.h
├── Images
├── x32dbg.png
└── x64dbg.png
├── LICENSE
├── README.md
└── Scripts
├── create.bat
├── off.bat
└── on.bat
/.gitattributes:
--------------------------------------------------------------------------------
1 | *.h linguist-language=c++
2 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Ll]og/
33 | [Ll]ogs/
34 |
35 | # Visual Studio 2015/2017 cache/options directory
36 | .vs/
37 | # Uncomment if you have tasks that create the project's static files in wwwroot
38 | #wwwroot/
39 |
40 | # Visual Studio 2017 auto generated files
41 | Generated\ Files/
42 |
43 | # MSTest test Results
44 | [Tt]est[Rr]esult*/
45 | [Bb]uild[Ll]og.*
46 |
47 | # NUnit
48 | *.VisualState.xml
49 | TestResult.xml
50 | nunit-*.xml
51 |
52 | # Build Results of an ATL Project
53 | [Dd]ebugPS/
54 | [Rr]eleasePS/
55 | dlldata.c
56 |
57 | # Benchmark Results
58 | BenchmarkDotNet.Artifacts/
59 |
60 | # .NET Core
61 | project.lock.json
62 | project.fragment.lock.json
63 | artifacts/
64 |
65 | # ASP.NET Scaffolding
66 | ScaffoldingReadMe.txt
67 |
68 | # StyleCop
69 | StyleCopReport.xml
70 |
71 | # Files built by Visual Studio
72 | *_i.c
73 | *_p.c
74 | *_h.h
75 | *.ilk
76 | *.meta
77 | *.obj
78 | *.iobj
79 | *.pch
80 | *.pdb
81 | *.ipdb
82 | *.pgc
83 | *.pgd
84 | *.rsp
85 | *.sbr
86 | *.tlb
87 | *.tli
88 | *.tlh
89 | *.tmp
90 | *.tmp_proj
91 | *_wpftmp.csproj
92 | *.log
93 | *.tlog
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
298 | *.vbp
299 |
300 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
301 | *.dsw
302 | *.dsp
303 |
304 | # Visual Studio 6 technical files
305 | *.ncb
306 | *.aps
307 |
308 | # Visual Studio LightSwitch build output
309 | **/*.HTMLClient/GeneratedArtifacts
310 | **/*.DesktopClient/GeneratedArtifacts
311 | **/*.DesktopClient/ModelManifest.xml
312 | **/*.Server/GeneratedArtifacts
313 | **/*.Server/ModelManifest.xml
314 | _Pvt_Extensions
315 |
316 | # Paket dependency manager
317 | .paket/paket.exe
318 | paket-files/
319 |
320 | # FAKE - F# Make
321 | .fake/
322 |
323 | # CodeRush personal settings
324 | .cr/personal
325 |
326 | # Python Tools for Visual Studio (PTVS)
327 | __pycache__/
328 | *.pyc
329 |
330 | # Cake - Uncomment if you are using it
331 | # tools/**
332 | # !tools/packages.config
333 |
334 | # Tabs Studio
335 | *.tss
336 |
337 | # Telerik's JustMock configuration file
338 | *.jmconfig
339 |
340 | # BizTalk build output
341 | *.btp.cs
342 | *.btm.cs
343 | *.odx.cs
344 | *.xsd.cs
345 |
346 | # OpenCover UI analysis results
347 | OpenCover/
348 |
349 | # Azure Stream Analytics local run output
350 | ASALocalRun/
351 |
352 | # MSBuild Binary and Structured Log
353 | *.binlog
354 |
355 | # NVidia Nsight GPU debugger configuration file
356 | *.nvuser
357 |
358 | # MFractors (Xamarin productivity tool) working folder
359 | .mfractor/
360 |
361 | # Local History for Visual Studio
362 | .localhistory/
363 |
364 | # Visual Studio History (VSHistory) files
365 | .vshistory/
366 |
367 | # BeatPulse healthcheck temp database
368 | healthchecksdb
369 |
370 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
371 | MigrationBackup/
372 |
373 | # Ionide (cross platform F# VS Code tools) working folder
374 | .ionide/
375 |
376 | # Fody - auto-generated XML schema
377 | FodyWeavers.xsd
378 |
379 | # VS Code files for those working on multiple tools
380 | .vscode/*
381 | !.vscode/settings.json
382 | !.vscode/tasks.json
383 | !.vscode/launch.json
384 | !.vscode/extensions.json
385 | *.code-workspace
386 |
387 | # Local History for Visual Studio Code
388 | .history/
389 |
390 | # Windows Installer files from build outputs
391 | *.cab
392 | *.msi
393 | *.msix
394 | *.msm
395 | *.msp
396 |
397 | # JetBrains Rider
398 | *.sln.iml
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "airhv"]
2 | path = airhv
3 | url = https://github.com/Air14/airhv
4 |
--------------------------------------------------------------------------------
/HyperHide.ini:
--------------------------------------------------------------------------------
1 | [SETTINGS]
2 | CurrentProfile=Default Create Process
3 | [Default Create Process]
4 | NtQueryInformationProcess=1
5 | NtQueryInformationJobObject=1
6 | NtQueryObject=1
7 | NtQueryPerformanceCounter=1
8 | NtQuerySystemInformation=1
9 | NtQuerySystemTime=1
10 | NtClose=1
11 | NtGetContextThread=1
12 | NtSetContextThread=1
13 | NtContinue=1
14 | NtCreateUserProcess=1
15 | NtCreateProcessEx=1
16 | NtCreateThreadEx=1
17 | NtGetNextProcess=1
18 | NtOpenThread=1
19 | NtOpenProcess=1
20 | NtCreateFile=1
21 | NtYieldExecution=1
22 | NtSystemDebugControl=1
23 | NtSetInformationThread=1
24 | NtUserBuildHwndList=1
25 | NtUserFindWindowEx=1
26 | NtUserGetForegroundWindow=1
27 | NtUserQueryWindow=1
28 | KiExceptionDispatch=1
29 | HookKuserSharedData=1
30 | HeapFlags=1
31 | ClearKuserSharedData=0
32 | ThreadHideFromDebuggerFlag=0
33 | ThreadBypassProcessFreeze=0
34 | NtQueryInformationThread=1
35 | NtSetInformationProcess=1
36 | ProcessBreakOnTerminationFlag=0
37 | ThreadBreakOnTerminationFlag=0
38 | ProcessDebugFlags=0
39 | ProcessHandleTracing=0
40 | PebBeingDebugged=1
41 | PebNtGlobalFlag=1
42 | [Default Attach]
43 | NtQueryInformationProcess=1
44 | NtQueryInformationJobObject=1
45 | NtQueryInformationThread=1
46 | NtQueryObject=1
47 | NtQueryPerformanceCounter=1
48 | NtQuerySystemInformation=1
49 | NtQuerySystemTime=1
50 | NtClose=1
51 | NtGetContextThread=1
52 | NtSetContextThread=1
53 | NtContinue=1
54 | NtCreateUserProcess=1
55 | NtCreateProcessEx=1
56 | NtCreateThreadEx=1
57 | NtGetNextProcess=1
58 | NtOpenThread=1
59 | NtOpenProcess=1
60 | NtCreateFile=1
61 | NtYieldExecution=1
62 | NtSystemDebugControl=1
63 | NtSetInformationThread=1
64 | NtSetInformationProcess=1
65 | NtUserBuildHwndList=1
66 | NtUserFindWindowEx=1
67 | NtUserGetForegroundWindow=1
68 | NtUserQueryWindow=1
69 | KiExceptionDispatch=1
70 | HookKuserSharedData=1
71 | HeapFlags=0
72 | ClearKuserSharedData=0
73 | ThreadHideFromDebuggerFlag=1
74 | ThreadBypassProcessFreeze=1
75 | ProcessBreakOnTerminationFlag=1
76 | ThreadBreakOnTerminationFlag=1
77 | ProcessDebugFlags=1
78 | ProcessHandleTracing=1
79 | PebBeingDebugged=1
80 | PebNtGlobalFlag=0
81 | [Themida]
82 | NtQueryInformationProcess=1
83 | NtQueryInformationJobObject=0
84 | NtQueryInformationThread=0
85 | NtQueryObject=0
86 | NtQueryPerformanceCounter=0
87 | NtQuerySystemInformation=1
88 | NtQuerySystemTime=0
89 | NtClose=0
90 | NtGetContextThread=0
91 | NtSetContextThread=0
92 | NtContinue=0
93 | NtCreateUserProcess=0
94 | NtCreateProcessEx=0
95 | NtCreateThreadEx=0
96 | NtGetNextProcess=0
97 | NtOpenThread=0
98 | NtOpenProcess=0
99 | NtCreateFile=0
100 | NtYieldExecution=0
101 | NtSystemDebugControl=0
102 | NtSetInformationThread=0
103 | NtSetInformationProcess=0
104 | NtUserBuildHwndList=1
105 | NtUserFindWindowEx=1
106 | NtUserGetForegroundWindow=1
107 | NtUserQueryWindow=1
108 | KiExceptionDispatch=0
109 | HookKuserSharedData=0
110 | HeapFlags=1
111 | ClearKuserSharedData=0
112 | ThreadHideFromDebuggerFlag=0
113 | ThreadBypassProcessFreeze=0
114 | ProcessBreakOnTerminationFlag=0
115 | ThreadBreakOnTerminationFlag=0
116 | ProcessDebugFlags=0
117 | ProcessHandleTracing=0
118 | PebBeingDebugged=1
119 | PebNtGlobalFlag=1
120 | [VMProtect]
121 | NtQueryInformationProcess=1
122 | NtQueryInformationJobObject=0
123 | NtQueryInformationThread=0
124 | NtQueryObject=1
125 | NtQueryPerformanceCounter=0
126 | NtQuerySystemInformation=0
127 | NtQuerySystemTime=0
128 | NtClose=1
129 | NtGetContextThread=0
130 | NtSetContextThread=0
131 | NtContinue=0
132 | NtCreateUserProcess=0
133 | NtCreateProcessEx=0
134 | NtCreateThreadEx=0
135 | NtGetNextProcess=0
136 | NtOpenThread=0
137 | NtOpenProcess=0
138 | NtCreateFile=0
139 | NtYieldExecution=0
140 | NtSystemDebugControl=0
141 | NtSetInformationThread=1
142 | NtSetInformationProcess=0
143 | NtUserBuildHwndList=0
144 | NtUserFindWindowEx=0
145 | NtUserGetForegroundWindow=0
146 | NtUserQueryWindow=0
147 | KiExceptionDispatch=0
148 | HookKuserSharedData=0
149 | HeapFlags=1
150 | ClearKuserSharedData=0
151 | ThreadHideFromDebuggerFlag=0
152 | ThreadBypassProcessFreeze=0
153 | ProcessBreakOnTerminationFlag=0
154 | ThreadBreakOnTerminationFlag=0
155 | ProcessDebugFlags=0
156 | ProcessHandleTracing=0
157 | [Obsidium]
158 | NtQueryInformationProcess=1
159 | NtQueryInformationJobObject=0
160 | NtQueryInformationThread=0
161 | NtQueryObject=0
162 | NtQueryPerformanceCounter=0
163 | NtQuerySystemInformation=1
164 | NtQuerySystemTime=0
165 | NtClose=1
166 | NtGetContextThread=0
167 | NtSetContextThread=0
168 | NtContinue=0
169 | NtCreateUserProcess=0
170 | NtCreateProcessEx=0
171 | NtCreateThreadEx=0
172 | NtGetNextProcess=0
173 | NtOpenThread=0
174 | NtOpenProcess=0
175 | NtCreateFile=0
176 | NtYieldExecution=0
177 | NtSystemDebugControl=0
178 | NtSetInformationThread=0
179 | NtSetInformationProcess=1
180 | NtUserBuildHwndList=1
181 | NtUserFindWindowEx=1
182 | NtUserGetForegroundWindow=1
183 | NtUserQueryWindow=1
184 | KiExceptionDispatch=0
185 | HookKuserSharedData=0
186 | HeapFlags=1
187 | ClearKuserSharedData=0
188 | ThreadHideFromDebuggerFlag=0
189 | ThreadBypassProcessFreeze=0
190 | ProcessBreakOnTerminationFlag=0
191 | ThreadBreakOnTerminationFlag=0
192 | ProcessDebugFlags=0
193 | ProcessHandleTracing=0
194 | PebBeingDebugged=1
195 | PebNtGlobalFlag=1
196 | [Disabled]
197 | NtQueryInformationProcess=0
198 | NtQueryInformationJobObject=0
199 | NtQueryObject=0
200 | NtQueryPerformanceCounter=0
201 | NtQuerySystemInformation=0
202 | NtQuerySystemTime=0
203 | NtClose=0
204 | NtGetContextThread=0
205 | NtSetContextThread=0
206 | NtContinue=0
207 | NtCreateUserProcess=0
208 | NtCreateProcessEx=0
209 | NtCreateThreadEx=0
210 | NtGetNextProcess=0
211 | NtOpenThread=0
212 | NtOpenProcess=0
213 | NtCreateFile=0
214 | NtYieldExecution=0
215 | NtSystemDebugControl=0
216 | NtSetInformationThread=0
217 | NtUserBuildHwndList=0
218 | NtUserFindWindowEx=0
219 | NtUserGetForegroundWindow=0
220 | NtUserQueryWindow=0
221 | KiExceptionDispatch=0
222 | HookKuserSharedData=0
223 | HeapFlags=0
224 | ClearKuserSharedData=0
225 | ThreadHideFromDebuggerFlag=0
226 | ThreadBypassProcessFreeze=0
227 | NtSetInformationProcess=0
228 | ProcessBreakOnTerminationFlag=0
229 | ThreadBreakOnTerminationFlag=0
230 | ProcessDebugFlags=0
231 | ProcessHandleTracing=0
232 | NtQueryInformationThread=0
233 |
--------------------------------------------------------------------------------
/HyperHide.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31313.79
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HyperHide", "HyperHide\HyperHide.vcxproj", "{062CB708-969A-4A0D-8A4C-3C2ADE786BCA}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HyperHideDrv", "HyperHideDrv\HyperHideDrv.vcxproj", "{1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|x64 = Release|x64
15 | Release|x86 = Release|x86
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Debug|x64.ActiveCfg = Debug|x64
19 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Debug|x64.Build.0 = Debug|x64
20 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Debug|x86.ActiveCfg = Debug|Win32
21 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Debug|x86.Build.0 = Debug|Win32
22 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Release|x64.ActiveCfg = Release|x64
23 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Release|x64.Build.0 = Release|x64
24 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Release|x86.ActiveCfg = Release|Win32
25 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Release|x86.Build.0 = Release|Win32
26 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Debug|x64.ActiveCfg = Debug|x64
27 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Debug|x64.Build.0 = Debug|x64
28 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Debug|x64.Deploy.0 = Debug|x64
29 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Debug|x86.ActiveCfg = Debug|x64
30 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Release|x64.ActiveCfg = Release|x64
31 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Release|x64.Build.0 = Release|x64
32 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Release|x64.Deploy.0 = Release|x64
33 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Release|x86.ActiveCfg = Release|x64
34 | EndGlobalSection
35 | GlobalSection(SolutionProperties) = preSolution
36 | HideSolutionNode = FALSE
37 | EndGlobalSection
38 | GlobalSection(ExtensibilityGlobals) = postSolution
39 | SolutionGuid = {76619BE2-56D9-493D-AB43-205FF39B24D1}
40 | EndGlobalSection
41 | EndGlobal
42 |
--------------------------------------------------------------------------------
/HyperHide/HyperHide.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {062cb708-969a-4a0d-8a4c-3c2ade786bca}
25 | HyperHide
26 | 10.0
27 |
28 |
29 |
30 | DynamicLibrary
31 | true
32 | v142
33 | MultiByte
34 |
35 |
36 | DynamicLibrary
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 | .dp32
76 |
77 |
78 | false
79 | .dp32
80 |
81 |
82 | true
83 | .dp64
84 |
85 |
86 | false
87 | .dp64
88 |
89 |
90 |
91 | Level3
92 | true
93 | WIN32;_DEBUG;HYPERHIDE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
94 | true
95 | NotUsing
96 | pch.h
97 |
98 |
99 | Windows
100 | true
101 | false
102 |
103 |
104 |
105 |
106 | Level3
107 | true
108 | true
109 | true
110 | WIN32;NDEBUG;HYPERHIDE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
111 | true
112 | NotUsing
113 | pch.h
114 |
115 |
116 | Windows
117 | true
118 | true
119 | true
120 | false
121 |
122 |
123 |
124 |
125 | Level3
126 | true
127 | _DEBUG;HYPERHIDE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
128 | true
129 | NotUsing
130 | pch.h
131 |
132 |
133 | Windows
134 | true
135 | false
136 |
137 |
138 |
139 |
140 | Level3
141 | true
142 | true
143 | true
144 | NDEBUG;HYPERHIDE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
145 | true
146 | NotUsing
147 | pch.h
148 | Speed
149 |
150 |
151 | Windows
152 | true
153 | true
154 | true
155 | false
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
213 |
214 |
--------------------------------------------------------------------------------
/HyperHide/HyperHide.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 | {dab66bff-41b8-4565-9014-fcbdfb5f90ef}
18 |
19 |
20 | {55fdb174-9c3c-4aa1-a29e-633b2116b0e2}
21 |
22 |
23 | {b509bc64-712e-4f1d-8fcd-8464ab18027d}
24 |
25 |
26 | {f1442a93-12a2-4f66-804f-1736a7cff4e9}
27 |
28 |
29 | {90b96485-c119-4993-bb63-6ea7a28c19c7}
30 |
31 |
32 | {3d0c3f46-f5e3-4201-ae30-650129cdb2fd}
33 |
34 |
35 | {94f82481-a832-4632-8075-fa3357383883}
36 |
37 |
38 |
39 |
40 | Header Files
41 |
42 |
43 | Header Files
44 |
45 |
46 | Header Files
47 |
48 |
49 | pluginsdk
50 |
51 |
52 | pluginsdk
53 |
54 |
55 | pluginsdk
56 |
57 |
58 | pluginsdk
59 |
60 |
61 | pluginsdk
62 |
63 |
64 | pluginsdk
65 |
66 |
67 | pluginsdk
68 |
69 |
70 | pluginsdk
71 |
72 |
73 | pluginsdk
74 |
75 |
76 | pluginsdk
77 |
78 |
79 | pluginsdk
80 |
81 |
82 | pluginsdk
83 |
84 |
85 | pluginsdk
86 |
87 |
88 | pluginsdk
89 |
90 |
91 | pluginsdk
92 |
93 |
94 | pluginsdk
95 |
96 |
97 | pluginsdk
98 |
99 |
100 | pluginsdk
101 |
102 |
103 | pluginsdk
104 |
105 |
106 | pluginsdk
107 |
108 |
109 | pluginsdk
110 |
111 |
112 | pluginsdk
113 |
114 |
115 | pluginsdk
116 |
117 |
118 | pluginsdk\XEDParse
119 |
120 |
121 | pluginsdk\TitanEngine
122 |
123 |
124 | pluginsdk\lz4
125 |
126 |
127 | pluginsdk\lz4
128 |
129 |
130 | pluginsdk\lz4
131 |
132 |
133 | pluginsdk\jansson
134 |
135 |
136 | pluginsdk\jansson
137 |
138 |
139 | pluginsdk\jansson
140 |
141 |
142 | pluginsdk\DeviceNameResolver
143 |
144 |
145 | pluginsdk\dbghelp
146 |
147 |
148 | Header Files
149 |
150 |
151 | Header Files
152 |
153 |
154 | Header Files
155 |
156 |
157 | Header Files
158 |
159 |
160 | Header Files
161 |
162 |
163 |
164 |
165 | Source Files
166 |
167 |
168 | Source Files
169 |
170 |
171 | Source Files
172 |
173 |
174 | Source Files
175 |
176 |
177 | Source Files
178 |
179 |
180 |
181 |
182 | Resource Files
183 |
184 |
185 |
--------------------------------------------------------------------------------
/HyperHide/HyperHide.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/HyperHide/HyperHideDrv.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include "HyperHideDrv.h"
3 | #include "Ioctl.h"
4 |
5 |
6 | HyperHideDrv::HyperHideDrv()
7 | {
8 | }
9 |
10 | HyperHideDrv::~HyperHideDrv()
11 | {
12 | SetHyperVisorVisibility(TRUE);
13 | if (this->DriverHandle != 0 && this->DriverHandle != INVALID_HANDLE_VALUE)
14 | CloseHandle(this->DriverHandle);
15 | }
16 |
17 | BOOLEAN HyperHideDrv::CreateHandleToDriver()
18 | {
19 | this->DriverHandle = CreateFileA("\\\\.\\HyperHideDrv", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
20 | if (this->DriverHandle == INVALID_HANDLE_VALUE)
21 | return FALSE;
22 | return TRUE;
23 | }
24 |
25 | BOOLEAN HyperHideDrv::CallDriver(size_t Ioctl)
26 | {
27 | if (this->Pid == 0)
28 | return FALSE;
29 |
30 | DWORD BytesReturned = 0;
31 | return DeviceIoControl
32 | (
33 | this->DriverHandle,
34 | Ioctl,
35 | &Pid, sizeof(UINT32),
36 | 0, 0,
37 | &BytesReturned, NULL
38 | );
39 | }
40 |
41 | void HyperHideDrv::SetHyperVisorVisibility(BOOLEAN Value)
42 | {
43 | DWORD BytesReturned = 0;
44 | DeviceIoControl
45 | (
46 | this->DriverHandle,
47 | IOCTL_SET_HYPERVISOR_VISIBILITY,
48 | &Value, sizeof(BOOLEAN),
49 | 0, 0,
50 | &BytesReturned, NULL
51 | );
52 | }
53 |
54 | BOOLEAN HyperHideDrv::Hide(HIDE_INFO& HideInfo)
55 | {
56 | if (this->Pid == NULL)
57 | return FALSE;
58 |
59 | DWORD BytesReturned = 0;
60 | HideInfo.Pid = Pid;
61 |
62 | return DeviceIoControl
63 | (
64 | this->DriverHandle,
65 | IOCTL_HIDE_FROM_SYSCALL,
66 | &HideInfo, sizeof(HIDE_INFO),
67 | 0, 0,
68 | &BytesReturned, NULL
69 | );
70 | }
71 |
72 | HANDLE HyperHideDrv::GetDriverHandleValue()
73 | {
74 | return this->DriverHandle;
75 | }
76 |
77 | void HyperHideDrv::SetTargetPid(UINT32 Pid)
78 | {
79 | this->Pid = Pid;
80 | }
--------------------------------------------------------------------------------
/HyperHide/HyperHideDrv.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 |
5 | typedef struct _HIDE_INFO
6 | {
7 | ULONG Pid;
8 | BOOLEAN HookNtQueryInformationProcess;
9 | BOOLEAN HookNtQuerySystemInformation;
10 | BOOLEAN HookNtQueryInformationThread;
11 | BOOLEAN HookNtQueryInformationJobObject;
12 | BOOLEAN HookNtQueryObject;
13 | BOOLEAN HookNtQuerySystemTime;
14 | BOOLEAN HookNtQueryPerformanceCounter;
15 | BOOLEAN HookNtCreateUserProcess;
16 | BOOLEAN HookNtCreateProcessEx;
17 | BOOLEAN HookNtCreateThreadEx;
18 | BOOLEAN HookNtSetContextThread;
19 | BOOLEAN HookNtGetContextThread;
20 | BOOLEAN HookNtOpenProcess;
21 | BOOLEAN HookNtOpenThread;
22 | BOOLEAN HookNtSetInformationThread;
23 | BOOLEAN HookNtSystemDebugControl;
24 | BOOLEAN HookNtGetNextProcess;
25 | BOOLEAN HookNtYieldExecution;
26 | BOOLEAN HookNtCreateFile;
27 | BOOLEAN HookNtContinue;
28 | BOOLEAN HookNtClose;
29 | BOOLEAN HookNtUserBuildHwndList;
30 | BOOLEAN HookNtUserFindWindowEx;
31 | BOOLEAN HookNtUserQueryWindow;
32 | BOOLEAN HookNtUserGetForegroundWindow;
33 | BOOLEAN HookKuserSharedData;
34 | BOOLEAN HookKiDispatchException;
35 | BOOLEAN HookNtSetInformationProcess;
36 | BOOLEAN ClearPebBeingDebugged;
37 | BOOLEAN ClearPebNtGlobalFlag;
38 | BOOLEAN ClearHeapFlags;
39 | BOOLEAN ClearKuserSharedData;
40 | BOOLEAN ClearHideFromDebuggerFlag;
41 | BOOLEAN ClearBypassProcessFreeze;
42 | BOOLEAN ClearProcessBreakOnTerminationFlag;
43 | BOOLEAN ClearThreadBreakOnTerminationFlag;
44 | BOOLEAN SaveProcessDebugFlags;
45 | BOOLEAN SaveProcessHandleTracing;
46 | }HIDE_INFO, * PHIDE_INFO;
47 |
48 | class HyperHideDrv
49 | {
50 | public:
51 | HyperHideDrv();
52 | ~HyperHideDrv();
53 | BOOLEAN CreateHandleToDriver();
54 | BOOLEAN CallDriver(size_t Ioctl);
55 | BOOLEAN Hide(HIDE_INFO& HideInfo);
56 | void SetTargetPid(UINT32 Pid);
57 | void SetHyperVisorVisibility(BOOLEAN Value);
58 | HANDLE GetDriverHandleValue();
59 |
60 | private:
61 | const std::string HyperHideDrvLink = "\\\\.\\HyperHideDrv";
62 | HANDLE DriverHandle = 0;
63 | UINT32 Pid = 0;
64 | };
--------------------------------------------------------------------------------
/HyperHide/HyperHideIcon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/HyperHideIcon.png
--------------------------------------------------------------------------------
/HyperHide/IniApi.cpp:
--------------------------------------------------------------------------------
1 | #include "IniApi.h"
2 |
3 | std::vector IniLoadSectionNames(const std::string File)
4 | {
5 | std::string Buf;
6 | std::vector Sections;
7 | DWORD Ret = 0;
8 |
9 | while (((DWORD)Buf.size() - Ret) < 3)
10 | {
11 | Buf.resize(Buf.size() + MAX_PATH);
12 | Ret = GetPrivateProfileSectionNamesA(&Buf[0], (DWORD)Buf.size(), File.c_str());
13 | }
14 |
15 | const char* Data = Buf.c_str();
16 | for (; Data[0]; Data += lstrlenA(Data) + 1)
17 | Sections.push_back(Data);
18 |
19 | return Sections;
20 | }
21 |
22 | std::string IniLoadString(const std::string File, const std::string Section, const std::string Key, const std::string DefaultValue)
23 | {
24 | std::string Buf;
25 | DWORD Ret = 0;
26 |
27 | while (((DWORD)Buf.size() - Ret) < 3) {
28 | Buf.resize(Buf.size() + MAX_PATH);
29 | Ret = GetPrivateProfileStringA(Section.c_str(), Key.c_str(), DefaultValue.c_str(), &Buf[0], (DWORD)Buf.size(), File.c_str());
30 | }
31 | Buf.resize(Ret);
32 |
33 | return Buf;
34 | }
35 |
36 | BOOL IniSaveString(const std::string File, const std::string Section, const std::string Key, const std::string Value)
37 | {
38 | return WritePrivateProfileStringA(Section.c_str(), Key.c_str(), Value.c_str(), File.c_str()) == TRUE;
39 | }
--------------------------------------------------------------------------------
/HyperHide/IniApi.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 | std::vector IniLoadSectionNames(const std::string File);
11 |
12 | std::string IniLoadString(const std::string File, const std::string Section, const std::string Key, const std::string DefaultValue);
13 |
14 | BOOL IniSaveString(const std::string File, const std::string Section, const std::string Key, const std::string Value);
15 |
16 | template
17 | ValueType IniLoadValue(const std::string File, const std::string Section, const std::string Key, ValueType DefaultValue)
18 | {
19 | DWORD Ret = 0;
20 | ValueType Value;
21 | std::string DefaultValueStr = std::to_string(DefaultValue);
22 | std::string Buf;
23 |
24 | Buf = IniLoadString(File, Section, Key, DefaultValueStr);
25 |
26 | std::istringstream ss(Buf);
27 |
28 | ss >> Value;
29 |
30 | return Value;
31 | }
32 |
33 | template
34 | BOOL IniSaveValue(const std::string File, const std::string Section, const std::string Key, ValueType Value)
35 | {
36 | return IniSaveString(File, Section, Key, std::to_string(Value));
37 | }
--------------------------------------------------------------------------------
/HyperHide/Ioctl.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define IOCTL_ADD_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x900, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
4 | #define IOCTL_CLEAR_PEB_DEBUGGER_FLAG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x901, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
5 | #define IOCTL_SET_PEB_DEBUGGER_FLAG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x902, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
6 | #define IOCTL_HIDE_FROM_SYSCALL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x903, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
7 | #define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x904, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
8 | #define IOCTL_REMOVE_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x905, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
9 | #define IOCTL_PROCESS_STOPPED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x906, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
10 | #define IOCTL_PROCESS_RESUMED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x907, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
11 | #define IOCTL_SET_HYPERVISOR_VISIBILITY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x908, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
--------------------------------------------------------------------------------
/HyperHide/Settings.cpp:
--------------------------------------------------------------------------------
1 | #include "Settings.h"
2 | #include "IniApi.h"
3 |
4 | VOID Settings::LoadProfile(std::string ProfileName)
5 | {
6 | // Nt hooks
7 | CurrentProfile.HookNtQueryInformationProcess = IniLoadValue(IniFile, ProfileName, "NtQueryInformationProcess", 1);
8 | CurrentProfile.HookNtQueryInformationJobObject = IniLoadValue(IniFile, ProfileName, "NtQueryInformationJobObject", 1);
9 | CurrentProfile.HookNtQueryInformationThread = IniLoadValue(IniFile, ProfileName, "NtQueryInformationThread", 1);
10 | CurrentProfile.HookNtQueryObject = IniLoadValue(IniFile, ProfileName, "NtQueryObject", 1);
11 | CurrentProfile.HookNtQueryPerformanceCounter = IniLoadValue(IniFile, ProfileName, "NtQueryPerformanceCounter", 1);
12 | CurrentProfile.HookNtQuerySystemInformation = IniLoadValue(IniFile, ProfileName, "NtQuerySystemInformation", 1);
13 | CurrentProfile.HookNtQuerySystemTime = IniLoadValue(IniFile, ProfileName, "NtQuerySystemTime", 1);
14 | CurrentProfile.HookNtClose = IniLoadValue(IniFile, ProfileName, "NtClose", 1);
15 | CurrentProfile.HookNtGetContextThread = IniLoadValue(IniFile, ProfileName, "NtGetContextThread", 1);
16 | CurrentProfile.HookNtSetContextThread = IniLoadValue(IniFile, ProfileName, "NtSetContextThread", 1);
17 | CurrentProfile.HookNtContinue = IniLoadValue(IniFile, ProfileName, "NtContinue", 1);
18 | CurrentProfile.HookNtCreateUserProcess = IniLoadValue(IniFile, ProfileName, "NtCreateUserProcess", 1);
19 | CurrentProfile.HookNtCreateProcessEx = IniLoadValue(IniFile, ProfileName, "NtCreateProcessEx", 1);
20 | CurrentProfile.HookNtCreateThreadEx = IniLoadValue(IniFile, ProfileName, "NtCreateThreadEx", 1);
21 | CurrentProfile.HookNtGetNextProcess = IniLoadValue(IniFile, ProfileName, "NtGetNextProcess", 1);
22 | CurrentProfile.HookNtOpenThread = IniLoadValue(IniFile, ProfileName, "NtOpenThread", 1);
23 | CurrentProfile.HookNtOpenProcess = IniLoadValue(IniFile, ProfileName, "NtOpenProcess", 1);
24 | CurrentProfile.HookNtCreateFile = IniLoadValue(IniFile, ProfileName, "NtCreateFile", 1);
25 | CurrentProfile.HookNtYieldExecution = IniLoadValue(IniFile, ProfileName, "NtYieldExecution", 1);
26 | CurrentProfile.HookNtSystemDebugControl = IniLoadValue(IniFile, ProfileName, "NtSystemDebugControl", 1);
27 | CurrentProfile.HookNtSetInformationThread = IniLoadValue(IniFile, ProfileName, "NtSetInformationThread", 1);
28 | CurrentProfile.HookNtSetInformationProcess = IniLoadValue(IniFile, ProfileName, "NtSetInformationProcess", 1);
29 |
30 | // Win32k Hooks
31 | CurrentProfile.HookNtUserBuildHwndList = IniLoadValue(IniFile, ProfileName, "NtUserBuildHwndList", 1);
32 | CurrentProfile.HookNtUserFindWindowEx = IniLoadValue(IniFile, ProfileName, "NtUserFindWindowEx", 1);
33 | CurrentProfile.HookNtUserGetForegroundWindow = IniLoadValue(IniFile, ProfileName, "NtUserGetForegroundWindow", 1);
34 | CurrentProfile.HookNtUserQueryWindow = IniLoadValue(IniFile, ProfileName, "NtUserQueryWindow", 1);
35 |
36 | // Other
37 | CurrentProfile.HookKiExceptionDispatch = IniLoadValue(IniFile, ProfileName, "KiExceptionDispatch", 1);
38 | CurrentProfile.HookKuserSharedData = IniLoadValue(IniFile, ProfileName, "HookKuserSharedData", 1);
39 | CurrentProfile.ClearPebBeingDebugged = IniLoadValue(IniFile, ProfileName, "PebBeingDebugged", 1);
40 | CurrentProfile.ClearPebNtGlobalFlag = IniLoadValue(IniFile, ProfileName, "PebNtGlobalFlag", 1);
41 | CurrentProfile.ClearHeapFlags = IniLoadValue(IniFile, ProfileName, "HeapFlags", 1);
42 | CurrentProfile.ClearKuserSharedData = IniLoadValue(IniFile, ProfileName, "ClearKuserSharedData", 1);
43 | CurrentProfile.ClearHideFromDebuggerFlag = IniLoadValue(IniFile, ProfileName, "ThreadHideFromDebuggerFlag", 1);
44 | CurrentProfile.ClearBypassProcessFreeze = IniLoadValue(IniFile, ProfileName, "ThreadBypassProcessFreeze", 1);
45 | CurrentProfile.ClearProcessBreakOnTerminationFlag = IniLoadValue(IniFile, ProfileName, "ProcessBreakOnTerminationFlag", 1);
46 | CurrentProfile.ClearThreadBreakOnTerminationFlag = IniLoadValue(IniFile, ProfileName, "ThreadBreakOnTerminationFlag", 1);
47 | CurrentProfile.SaveProcessDebugFlags = IniLoadValue(IniFile, ProfileName, "ProcessDebugFlags", 1);
48 | CurrentProfile.SaveProcessHandleTracing = IniLoadValue(IniFile, ProfileName, "ProcessHandleTracing", 1);
49 | }
50 |
51 | BOOL Settings::SaveProfile()
52 | {
53 | BOOL Success = TRUE;
54 |
55 | // Nt Hooks
56 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtQueryInformationProcess", CurrentProfile.HookNtQueryInformationProcess);
57 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtQueryInformationJobObject", CurrentProfile.HookNtQueryInformationJobObject);
58 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtQueryInformationThread", CurrentProfile.HookNtQueryInformationThread);
59 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtQueryObject", CurrentProfile.HookNtQueryObject);
60 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtQueryPerformanceCounter", CurrentProfile.HookNtQueryPerformanceCounter);
61 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtQuerySystemInformation", CurrentProfile.HookNtQuerySystemInformation);
62 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtQuerySystemTime", CurrentProfile.HookNtQuerySystemTime);
63 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtClose", CurrentProfile.HookNtClose);
64 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtGetContextThread", CurrentProfile.HookNtGetContextThread);
65 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtSetContextThread", CurrentProfile.HookNtSetContextThread);
66 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtContinue", CurrentProfile.HookNtContinue);
67 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtCreateUserProcess", CurrentProfile.HookNtCreateUserProcess);
68 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtCreateProcessEx", CurrentProfile.HookNtCreateProcessEx);
69 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtCreateThreadEx", CurrentProfile.HookNtCreateThreadEx);
70 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtGetNextProcess", CurrentProfile.HookNtGetNextProcess);
71 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtOpenThread", CurrentProfile.HookNtOpenThread);
72 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtOpenProcess", CurrentProfile.HookNtOpenProcess);
73 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtCreateFile", CurrentProfile.HookNtCreateFile);
74 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtYieldExecution", CurrentProfile.HookNtYieldExecution);
75 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtSystemDebugControl", CurrentProfile.HookNtSystemDebugControl);
76 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtSetInformationThread", CurrentProfile.HookNtSetInformationThread);
77 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtSetInformationProcess", CurrentProfile.HookNtSetInformationProcess);
78 |
79 | // Win32k Hooks
80 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtUserBuildHwndList", CurrentProfile.HookNtUserBuildHwndList);
81 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtUserFindWindowEx", CurrentProfile.HookNtUserFindWindowEx);
82 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtUserGetForegroundWindow", CurrentProfile.HookNtUserGetForegroundWindow);
83 | Success &= IniSaveValue(IniFile, CurrentProfileName, "NtUserQueryWindow", CurrentProfile.HookNtUserQueryWindow);
84 |
85 | // Other
86 | Success &= IniSaveValue(IniFile, CurrentProfileName, "KiExceptionDispatch", CurrentProfile.HookKiExceptionDispatch);
87 | Success &= IniSaveValue(IniFile, CurrentProfileName, "HookKuserSharedData", CurrentProfile.HookKuserSharedData);
88 | Success &= IniSaveValue(IniFile, CurrentProfileName, "PebBeingDebugged", CurrentProfile.ClearPebBeingDebugged);
89 | Success &= IniSaveValue(IniFile, CurrentProfileName, "PebNtGlobalFlag", CurrentProfile.ClearPebNtGlobalFlag);
90 | Success &= IniSaveValue(IniFile, CurrentProfileName, "HeapFlags", CurrentProfile.ClearHeapFlags);
91 | Success &= IniSaveValue(IniFile, CurrentProfileName, "ClearKuserSharedData", CurrentProfile.ClearKuserSharedData);
92 | Success &= IniSaveValue(IniFile, CurrentProfileName, "ThreadHideFromDebuggerFlag", CurrentProfile.ClearHideFromDebuggerFlag);
93 | Success &= IniSaveValue(IniFile, CurrentProfileName, "ThreadBypassProcessFreeze", CurrentProfile.ClearBypassProcessFreeze);
94 | Success &= IniSaveValue(IniFile, CurrentProfileName, "ProcessBreakOnTerminationFlag", CurrentProfile.ClearProcessBreakOnTerminationFlag);
95 | Success &= IniSaveValue(IniFile, CurrentProfileName, "ThreadBreakOnTerminationFlag", CurrentProfile.ClearThreadBreakOnTerminationFlag);
96 | Success &= IniSaveValue(IniFile, CurrentProfileName, "ProcessDebugFlags", CurrentProfile.SaveProcessDebugFlags);
97 | Success &= IniSaveValue(IniFile, CurrentProfileName, "ProcessHandleTracing", CurrentProfile.SaveProcessHandleTracing);
98 |
99 | return Success;
100 | }
101 |
102 | BOOL Settings::AddProfile(std::string ProfileName)
103 | {
104 | if (std::find(ProfileNames.begin(), ProfileNames.end(), ProfileName) != ProfileNames.end())
105 | return FALSE;
106 |
107 | ProfileNames.push_back(ProfileName);
108 | return TRUE;
109 | }
110 |
111 | VOID Settings::SetProfile(std::string ProfileName)
112 | {
113 | if (CurrentProfileName == ProfileName)
114 | return;
115 |
116 | CurrentProfileName = ProfileName;
117 | IniSaveString(IniFile, SettingsSectionName, CurrentProfileKey, ProfileName);
118 |
119 | LoadProfile(ProfileName);
120 | }
121 |
122 | VOID Settings::Load(std::string IniPath)
123 | {
124 | IniFile = IniPath + IniFileName;
125 | ProfileNames = IniLoadSectionNames(IniFile);
126 |
127 | ProfileNames.erase(std::remove(ProfileNames.begin(), ProfileNames.end(), SettingsSectionName), ProfileNames.end());
128 |
129 | CurrentProfileName = IniLoadString(IniFile, SettingsSectionName, CurrentProfileKey, DefaultProfile);
130 | LoadProfile(CurrentProfileName);
131 | }
132 |
133 | std::vector& Settings::GetProfileNames()
134 | {
135 | return ProfileNames;
136 | }
137 |
138 | Settings::Profile& Settings::GetCurrentProfile()
139 | {
140 | return CurrentProfile;
141 | }
142 |
143 | std::string Settings::GetCurrentProfileName()
144 | {
145 | return CurrentProfileName;
146 | }
--------------------------------------------------------------------------------
/HyperHide/Settings.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 |
11 | class Settings
12 | {
13 | public:
14 | struct Profile
15 | {
16 | BOOLEAN HookNtQueryInformationProcess;
17 | BOOLEAN HookNtQuerySystemInformation;
18 | BOOLEAN HookNtQueryInformationThread;
19 | BOOLEAN HookNtQueryInformationJobObject;
20 | BOOLEAN HookNtQueryObject;
21 | BOOLEAN HookNtQuerySystemTime;
22 | BOOLEAN HookNtQueryPerformanceCounter;
23 | BOOLEAN HookNtCreateUserProcess;
24 | BOOLEAN HookNtCreateProcessEx;
25 | BOOLEAN HookNtCreateThreadEx;
26 | BOOLEAN HookNtSetContextThread;
27 | BOOLEAN HookNtGetContextThread;
28 | BOOLEAN HookNtOpenProcess;
29 | BOOLEAN HookNtOpenThread;
30 | BOOLEAN HookNtSetInformationThread;
31 | BOOLEAN HookNtSystemDebugControl;
32 | BOOLEAN HookNtGetNextProcess;
33 | BOOLEAN HookNtYieldExecution;
34 | BOOLEAN HookNtCreateFile;
35 | BOOLEAN HookNtContinue;
36 | BOOLEAN HookNtClose;
37 | BOOLEAN HookNtUserBuildHwndList;
38 | BOOLEAN HookNtUserFindWindowEx;
39 | BOOLEAN HookNtUserQueryWindow;
40 | BOOLEAN HookNtUserGetForegroundWindow;
41 | BOOLEAN HookKuserSharedData;
42 | BOOLEAN HookKiExceptionDispatch;
43 | BOOLEAN HookNtSetInformationProcess;
44 | BOOLEAN ClearPebBeingDebugged;
45 | BOOLEAN ClearPebNtGlobalFlag;
46 | BOOLEAN ClearHeapFlags;
47 | BOOLEAN ClearKuserSharedData;
48 | BOOLEAN ClearHideFromDebuggerFlag;
49 | BOOLEAN ClearBypassProcessFreeze;
50 | BOOLEAN ClearProcessBreakOnTerminationFlag;
51 | BOOLEAN ClearThreadBreakOnTerminationFlag;
52 | BOOLEAN SaveProcessDebugFlags;
53 | BOOLEAN SaveProcessHandleTracing;
54 | };
55 |
56 | VOID LoadProfile(std::string ProfileName);
57 |
58 | BOOL SaveProfile();
59 |
60 | BOOL AddProfile(std::string ProfileName);
61 |
62 | VOID SetProfile(std::string ProfileName);
63 |
64 | VOID Load(std::string IniPath);
65 |
66 | std::vector& GetProfileNames();
67 |
68 | Profile& GetCurrentProfile();
69 |
70 | std::string GetCurrentProfileName();
71 |
72 | private:
73 | std::string IniFile;
74 | CONST std::string IniFileName = "HyperHide.ini";
75 | CONST std::string SettingsSectionName = "SETTINGS";
76 | CONST std::string DefaultProfile = "Default";
77 | CONST std::string CurrentProfileKey = "CurrentProfile";
78 | std::vector ProfileNames;
79 | std::string CurrentProfileName;
80 | Profile CurrentProfile;
81 | };
--------------------------------------------------------------------------------
/HyperHide/Tooltips.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | HWND CreateTooltips(HWND hDlg);
--------------------------------------------------------------------------------
/HyperHide/pluginconfig.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define PLUGIN_NAME "HyperHide"
3 | #define PLUGIN_VERSION 1
4 |
--------------------------------------------------------------------------------
/HyperHide/pluginmain.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Plugin information
4 | #ifndef PLUGIN_NAME
5 | #include "pluginconfig.h"
6 | #else
7 | #define PLUGIN_NAME "UnnamedPlugin"
8 | #endif // PLUGIN_NAME
9 | #define PLUGIN_VERSION 1
10 |
11 | #include "pluginsdk/bridgemain.h"
12 | #include "pluginsdk/_plugins.h"
13 |
14 | #include "pluginsdk/_scriptapi_argument.h"
15 | #include "pluginsdk/_scriptapi_assembler.h"
16 | #include "pluginsdk/_scriptapi_bookmark.h"
17 | #include "pluginsdk/_scriptapi_comment.h"
18 | #include "pluginsdk/_scriptapi_debug.h"
19 | #include "pluginsdk/_scriptapi_flag.h"
20 | #include "pluginsdk/_scriptapi_function.h"
21 | #include "pluginsdk/_scriptapi_gui.h"
22 | #include "pluginsdk/_scriptapi_label.h"
23 | #include "pluginsdk/_scriptapi_memory.h"
24 | #include "pluginsdk/_scriptapi_misc.h"
25 | #include "pluginsdk/_scriptapi_module.h"
26 | #include "pluginsdk/_scriptapi_pattern.h"
27 | #include "pluginsdk/_scriptapi_register.h"
28 | #include "pluginsdk/_scriptapi_stack.h"
29 | #include "pluginsdk/_scriptapi_symbol.h"
30 |
31 | #include "pluginsdk/DeviceNameResolver/DeviceNameResolver.h"
32 | #include "pluginsdk/jansson/jansson.h"
33 | #include "pluginsdk/lz4/lz4file.h"
34 | #include "pluginsdk/TitanEngine/TitanEngine.h"
35 | #include "pluginsdk/XEDParse/XEDParse.h"
36 |
37 | #ifdef _WIN64
38 | #pragma comment(lib, "pluginsdk/x64dbg.lib")
39 | #pragma comment(lib, "pluginsdk/x64bridge.lib")
40 | #pragma comment(lib, "pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib")
41 | #pragma comment(lib, "pluginsdk/jansson/jansson_x64.lib")
42 | #pragma comment(lib, "pluginsdk/lz4/lz4_x64.lib")
43 | #pragma comment(lib, "pluginsdk/TitanEngine/TitanEngine_x64.lib")
44 | #pragma comment(lib, "pluginsdk/XEDParse/XEDParse_x64.lib")
45 | #else
46 | #pragma comment(lib, "pluginsdk/x32dbg.lib")
47 | #pragma comment(lib, "pluginsdk/x32bridge.lib")
48 | #pragma comment(lib, "pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib")
49 | #pragma comment(lib, "pluginsdk/jansson/jansson_x86.lib")
50 | #pragma comment(lib, "pluginsdk/lz4/lz4_x86.lib")
51 | #pragma comment(lib, "pluginsdk/TitanEngine/TitanEngine_x86.lib")
52 | #pragma comment(lib, "pluginsdk/XEDParse/XEDParse_x86.lib")
53 | #endif //_WIN64
54 |
55 | #define Cmd(x) DbgCmdExecDirect(x)
56 | #define Eval(x) DbgValFromString(x)
57 | #define dprintf(x, ...) _plugin_logprintf("[" PLUGIN_NAME "] " x, __VA_ARGS__)
58 | #define dputs(x) _plugin_logputs("[" PLUGIN_NAME "] " x)
59 | #define PLUG_EXPORT extern "C" __declspec(dllexport)
60 |
61 | //superglobal variables
62 | extern int pluginHandle;
63 | extern HWND hwndDlg;
64 | extern int hMenu;
65 | extern int hMenuDisasm;
66 | extern int hMenuDump;
67 | extern int hMenuStack;
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver.h:
--------------------------------------------------------------------------------
1 | #ifndef _DEVICENAMERESOLVER_H
2 | #define _DEVICENAMERESOLVER_H
3 |
4 | #include
5 |
6 | #ifdef __cplusplus
7 | extern "C"
8 | {
9 | #endif
10 |
11 | __declspec(dllexport) bool DevicePathToPathW(const wchar_t* szDevicePath, wchar_t* szPath, size_t nSizeInChars);
12 | __declspec(dllexport) bool DevicePathToPathA(const char* szDevicePath, char* szPath, size_t nSizeInChars);
13 | __declspec(dllexport) bool DevicePathFromFileHandleW(HANDLE hFile, wchar_t* szDevicePath, size_t nSizeInChars);
14 | __declspec(dllexport) bool DevicePathFromFileHandleA(HANDLE hFile, char* szDevicePath, size_t nSizeInChars);
15 | __declspec(dllexport) bool PathFromFileHandleW(HANDLE hFile, wchar_t* szPath, size_t nSizeInChars);
16 | __declspec(dllexport) bool PathFromFileHandleA(HANDLE hFile, char* szPath, size_t nSizeInChars);
17 |
18 | #ifdef __cplusplus
19 | }
20 | #endif
21 |
22 | #endif // _DEVICENAMERESOLVER_H
23 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/TitanEngine/TitanEngine_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/TitanEngine/TitanEngine_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/TitanEngine/TitanEngine_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/TitanEngine/TitanEngine_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/TitanEngine/TitanEngine_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/TitanEngine/TitanEngine_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/TitanEngine/TitanEngine_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/TitanEngine/TitanEngine_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse.h:
--------------------------------------------------------------------------------
1 | #ifndef _XEDPARSE_H
2 | #define _XEDPARSE_H
3 |
4 | #include
5 |
6 | //XEDParse defines
7 | #ifdef XEDPARSE_BUILD
8 | #define XEDPARSE_EXPORT __declspec(dllexport)
9 | #else
10 | #define XEDPARSE_EXPORT __declspec(dllimport)
11 | #endif //XEDPARSE_BUILD
12 |
13 | #define XEDPARSE_CALL //calling convention
14 |
15 | #define XEDPARSE_MAXBUFSIZE 256
16 | #define XEDPARSE_MAXASMSIZE 16
17 |
18 | //typedefs
19 | typedef bool (XEDPARSE_CALL* CBXEDPARSE_UNKNOWN)(const char* text, ULONGLONG* value);
20 |
21 | //XEDParse enums
22 | enum XEDPARSE_STATUS
23 | {
24 | XEDPARSE_ERROR = 0,
25 | XEDPARSE_OK = 1
26 | };
27 |
28 | //XEDParse structs
29 | #pragma pack(push,8)
30 | struct XEDPARSE
31 | {
32 | bool x64; // use 64-bit instructions
33 | ULONGLONG cip; //instruction pointer (for relative addressing)
34 | unsigned int dest_size; //destination size (returned by XEDParse)
35 | CBXEDPARSE_UNKNOWN cbUnknown; //unknown operand callback
36 | unsigned char dest[XEDPARSE_MAXASMSIZE]; //destination buffer
37 | char instr[XEDPARSE_MAXBUFSIZE]; //instruction text
38 | char error[XEDPARSE_MAXBUFSIZE]; //error text (in case of an error)
39 | };
40 | #pragma pack(pop)
41 |
42 | #ifdef __cplusplus
43 | extern "C"
44 | {
45 | #endif
46 |
47 | XEDPARSE_EXPORT XEDPARSE_STATUS XEDPARSE_CALL XEDParseAssemble(XEDPARSE* XEDParse);
48 |
49 | #ifdef __cplusplus
50 | }
51 | #endif
52 |
53 | #endif // _XEDPARSE_H
54 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/XEDParse/XEDParse_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/XEDParse/XEDParse_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/XEDParse/XEDParse_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/XEDParse/XEDParse_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_dbgfunctions.h:
--------------------------------------------------------------------------------
1 | #ifndef _DBGFUNCTIONS_H
2 | #define _DBGFUNCTIONS_H
3 |
4 | #ifndef __cplusplus
5 | #include
6 | #endif
7 |
8 | typedef struct
9 | {
10 | char mod[MAX_MODULE_SIZE];
11 | duint addr;
12 | unsigned char oldbyte;
13 | unsigned char newbyte;
14 | } DBGPATCHINFO;
15 |
16 | typedef struct
17 | {
18 | duint addr;
19 | duint from;
20 | duint to;
21 | char comment[MAX_COMMENT_SIZE];
22 | } DBGCALLSTACKENTRY;
23 |
24 | typedef struct
25 | {
26 | int total;
27 | DBGCALLSTACKENTRY* entries;
28 | } DBGCALLSTACK;
29 |
30 | typedef struct
31 | {
32 | duint addr;
33 | duint handler;
34 | } DBGSEHRECORD;
35 |
36 | typedef struct
37 | {
38 | duint total;
39 | DBGSEHRECORD* records;
40 | } DBGSEHCHAIN;
41 |
42 | typedef struct
43 | {
44 | DWORD dwProcessId;
45 | char szExeFile[MAX_PATH];
46 | char szExeMainWindowTitle[MAX_PATH];
47 | char szExeArgs[MAX_COMMAND_LINE_SIZE];
48 | } DBGPROCESSINFO;
49 |
50 | typedef struct
51 | {
52 | DWORD rva;
53 | BYTE type;
54 | WORD size;
55 | } DBGRELOCATIONINFO;
56 |
57 | typedef enum
58 | {
59 | InstructionBody = 0,
60 | InstructionHeading = 1,
61 | InstructionTailing = 2,
62 | InstructionOverlapped = 3, // The byte was executed with differing instruction base addresses
63 | DataByte, // This and the following is not implemented yet.
64 | DataWord,
65 | DataDWord,
66 | DataQWord,
67 | DataFloat,
68 | DataDouble,
69 | DataLongDouble,
70 | DataXMM,
71 | DataYMM,
72 | DataMMX,
73 | DataMixed, //the byte is accessed in multiple ways
74 | InstructionDataMixed //the byte is both executed and written
75 | } TRACERECORDBYTETYPE;
76 |
77 | typedef enum
78 | {
79 | TraceRecordNone,
80 | TraceRecordBitExec,
81 | TraceRecordByteWithExecTypeAndCounter,
82 | TraceRecordWordWithExecTypeAndCounter
83 | } TRACERECORDTYPE;
84 |
85 | typedef struct
86 | {
87 | duint Handle;
88 | unsigned char TypeNumber;
89 | unsigned int GrantedAccess;
90 | } HANDLEINFO;
91 |
92 | // The longest ip address is 1234:6789:1234:6789:1234:6789:123.567.901.345 (46 bytes)
93 | #define TCP_ADDR_SIZE 50
94 |
95 | typedef struct
96 | {
97 | char RemoteAddress[TCP_ADDR_SIZE];
98 | unsigned short RemotePort;
99 | char LocalAddress[TCP_ADDR_SIZE];
100 | unsigned short LocalPort;
101 | char StateText[TCP_ADDR_SIZE];
102 | unsigned int State;
103 | } TCPCONNECTIONINFO;
104 |
105 | typedef struct
106 | {
107 | duint handle;
108 | duint parent;
109 | DWORD threadId;
110 | DWORD style;
111 | DWORD styleEx;
112 | duint wndProc;
113 | bool enabled;
114 | RECT position;
115 | char windowTitle[MAX_COMMENT_SIZE];
116 | char windowClass[MAX_COMMENT_SIZE];
117 | } WINDOW_INFO;
118 |
119 | typedef struct
120 | {
121 | duint addr;
122 | duint size;
123 | duint flags;
124 | } HEAPINFO;
125 |
126 | typedef struct
127 | {
128 | const char* name;
129 | duint value;
130 | } CONSTANTINFO;
131 |
132 | typedef enum
133 | {
134 | MODSYMUNLOADED = 0,
135 | MODSYMLOADING,
136 | MODSYMLOADED
137 | } MODULESYMBOLSTATUS;
138 |
139 | typedef bool (*ASSEMBLEATEX)(duint addr, const char* instruction, char* error, bool fillnop);
140 | typedef bool (*SECTIONFROMADDR)(duint addr, char* section);
141 | typedef bool (*MODNAMEFROMADDR)(duint addr, char* modname, bool extension);
142 | typedef duint(*MODBASEFROMADDR)(duint addr);
143 | typedef duint(*MODBASEFROMNAME)(const char* modname);
144 | typedef duint(*MODSIZEFROMADDR)(duint addr);
145 | typedef bool (*ASSEMBLE)(duint addr, unsigned char* dest, int* size, const char* instruction, char* error);
146 | typedef bool (*PATCHGET)(duint addr);
147 | typedef bool (*PATCHINRANGE)(duint start, duint end);
148 | typedef bool (*MEMPATCH)(duint va, const unsigned char* src, duint size);
149 | typedef void (*PATCHRESTORERANGE)(duint start, duint end);
150 | typedef bool (*PATCHENUM)(DBGPATCHINFO* patchlist, size_t* cbsize);
151 | typedef bool (*PATCHRESTORE)(duint addr);
152 | typedef int (*PATCHFILE)(DBGPATCHINFO* patchlist, int count, const char* szFileName, char* error);
153 | typedef int (*MODPATHFROMADDR)(duint addr, char* path, int size);
154 | typedef int (*MODPATHFROMNAME)(const char* modname, char* path, int size);
155 | typedef bool (*DISASMFAST)(const unsigned char* data, duint addr, BASIC_INSTRUCTION_INFO* basicinfo);
156 | typedef void (*MEMUPDATEMAP)();
157 | typedef void (*GETCALLSTACK)(DBGCALLSTACK* callstack);
158 | typedef void (*GETSEHCHAIN)(DBGSEHCHAIN* sehchain);
159 | typedef void (*SYMBOLDOWNLOADALLSYMBOLS)(const char* szSymbolStore);
160 | typedef bool (*GETJIT)(char* jit, bool x64);
161 | typedef bool (*GETJITAUTO)(bool* jitauto);
162 | typedef bool (*GETDEFJIT)(char* defjit);
163 | typedef bool (*GETPROCESSLIST)(DBGPROCESSINFO** entries, int* count);
164 | typedef bool (*GETPAGERIGHTS)(duint addr, char* rights);
165 | typedef bool (*SETPAGERIGHTS)(duint addr, const char* rights);
166 | typedef bool (*PAGERIGHTSTOSTRING)(DWORD protect, char* rights);
167 | typedef bool (*ISPROCESSELEVATED)();
168 | typedef bool (*GETCMDLINE)(char* cmdline, size_t* cbsize);
169 | typedef bool (*SETCMDLINE)(const char* cmdline);
170 | typedef duint(*FILEOFFSETTOVA)(const char* modname, duint offset);
171 | typedef duint(*VATOFILEOFFSET)(duint va);
172 | typedef duint(*GETADDRFROMLINE)(const char* szSourceFile, int line, duint* displacement);
173 | typedef bool (*GETSOURCEFROMADDR)(duint addr, char* szSourceFile, int* line);
174 | typedef bool (*VALFROMSTRING)(const char* string, duint* value);
175 | typedef bool (*PATCHGETEX)(duint addr, DBGPATCHINFO* info);
176 | typedef bool (*GETBRIDGEBP)(BPXTYPE type, duint addr, BRIDGEBP* bp);
177 | typedef bool (*STRINGFORMATINLINE)(const char* format, size_t resultSize, char* result);
178 | typedef void (*GETMNEMONICBRIEF)(const char* mnem, size_t resultSize, char* result);
179 | typedef unsigned int (*GETTRACERECORDHITCOUNT)(duint address);
180 | typedef TRACERECORDBYTETYPE(*GETTRACERECORDBYTETYPE)(duint address);
181 | typedef bool (*SETTRACERECORDTYPE)(duint pageAddress, TRACERECORDTYPE type);
182 | typedef TRACERECORDTYPE(*GETTRACERECORDTYPE)(duint pageAddress);
183 | typedef bool (*ENUMHANDLES)(ListOf(HANDLEINFO) handles);
184 | typedef bool (*GETHANDLENAME)(duint handle, char* name, size_t nameSize, char* typeName, size_t typeNameSize);
185 | typedef bool (*ENUMTCPCONNECTIONS)(ListOf(TCPCONNECTIONINFO) connections);
186 | typedef duint(*GETDBGEVENTS)();
187 | typedef int (*MODGETPARTY)(duint base);
188 | typedef void (*MODSETPARTY)(duint base, int party);
189 | typedef bool(*WATCHISWATCHDOGTRIGGERED)(unsigned int id);
190 | typedef bool(*MEMISCODEPAGE)(duint addr, bool refresh);
191 | typedef bool(*ANIMATECOMMAND)(const char* command);
192 | typedef void(*DBGSETDEBUGGEEINITSCRIPT)(const char* fileName);
193 | typedef const char* (*DBGGETDEBUGGEEINITSCRIPT)();
194 | typedef bool(*HANDLESENUMWINDOWS)(ListOf(WINDOW_INFO) windows);
195 | typedef bool(*HANDLESENUMHEAPS)(ListOf(HEAPINFO) heaps);
196 | typedef bool(*THREADGETNAME)(DWORD tid, char* name);
197 | typedef bool(*ISDEPENABLED)();
198 | typedef void(*GETCALLSTACKEX)(DBGCALLSTACK* callstack, bool cache);
199 | typedef bool(*GETUSERCOMMENT)(duint addr, char* comment);
200 | typedef void(*ENUMCONSTANTS)(ListOf(CONSTANTINFO) constants);
201 | typedef duint(*MEMBPSIZE)(duint addr);
202 | typedef bool(*MODRELOCATIONSFROMADDR)(duint addr, ListOf(DBGRELOCATIONINFO) relocations);
203 | typedef bool(*MODRELOCATIONATADDR)(duint addr, DBGRELOCATIONINFO* relocation);
204 | typedef bool(*MODRELOCATIONSINRANGE)(duint addr, duint size, ListOf(DBGRELOCATIONINFO) relocations);
205 | typedef duint(*DBGETHASH)();
206 | typedef int(*SYMAUTOCOMPLETE)(const char* Search, char** Buffer, int MaxSymbols);
207 | typedef void(*REFRESHMODULELIST)();
208 | typedef duint(*GETADDRFROMLINEEX)(duint mod, const char* szSourceFile, int line);
209 | typedef MODULESYMBOLSTATUS(*MODSYMBOLSTATUS)(duint mod);
210 |
211 | //The list of all the DbgFunctions() return value.
212 | //WARNING: This list is append only. Do not insert things in the middle or plugins would break.
213 | typedef struct DBGFUNCTIONS_
214 | {
215 | ASSEMBLEATEX AssembleAtEx;
216 | SECTIONFROMADDR SectionFromAddr;
217 | MODNAMEFROMADDR ModNameFromAddr;
218 | MODBASEFROMADDR ModBaseFromAddr;
219 | MODBASEFROMNAME ModBaseFromName;
220 | MODSIZEFROMADDR ModSizeFromAddr;
221 | ASSEMBLE Assemble;
222 | PATCHGET PatchGet;
223 | PATCHINRANGE PatchInRange;
224 | MEMPATCH MemPatch;
225 | PATCHRESTORERANGE PatchRestoreRange;
226 | PATCHENUM PatchEnum;
227 | PATCHRESTORE PatchRestore;
228 | PATCHFILE PatchFile;
229 | MODPATHFROMADDR ModPathFromAddr;
230 | MODPATHFROMNAME ModPathFromName;
231 | DISASMFAST DisasmFast;
232 | MEMUPDATEMAP MemUpdateMap;
233 | GETCALLSTACK GetCallStack;
234 | GETSEHCHAIN GetSEHChain;
235 | SYMBOLDOWNLOADALLSYMBOLS SymbolDownloadAllSymbols;
236 | GETJITAUTO GetJitAuto;
237 | GETJIT GetJit;
238 | GETDEFJIT GetDefJit;
239 | GETPROCESSLIST GetProcessList;
240 | GETPAGERIGHTS GetPageRights;
241 | SETPAGERIGHTS SetPageRights;
242 | PAGERIGHTSTOSTRING PageRightsToString;
243 | ISPROCESSELEVATED IsProcessElevated;
244 | GETCMDLINE GetCmdline;
245 | SETCMDLINE SetCmdline;
246 | FILEOFFSETTOVA FileOffsetToVa;
247 | VATOFILEOFFSET VaToFileOffset;
248 | GETADDRFROMLINE GetAddrFromLine;
249 | GETSOURCEFROMADDR GetSourceFromAddr;
250 | VALFROMSTRING ValFromString;
251 | PATCHGETEX PatchGetEx;
252 | GETBRIDGEBP GetBridgeBp;
253 | STRINGFORMATINLINE StringFormatInline;
254 | GETMNEMONICBRIEF GetMnemonicBrief;
255 | GETTRACERECORDHITCOUNT GetTraceRecordHitCount;
256 | GETTRACERECORDBYTETYPE GetTraceRecordByteType;
257 | SETTRACERECORDTYPE SetTraceRecordType;
258 | GETTRACERECORDTYPE GetTraceRecordType;
259 | ENUMHANDLES EnumHandles;
260 | GETHANDLENAME GetHandleName;
261 | ENUMTCPCONNECTIONS EnumTcpConnections;
262 | GETDBGEVENTS GetDbgEvents;
263 | MODGETPARTY ModGetParty;
264 | MODSETPARTY ModSetParty;
265 | WATCHISWATCHDOGTRIGGERED WatchIsWatchdogTriggered;
266 | MEMISCODEPAGE MemIsCodePage;
267 | ANIMATECOMMAND AnimateCommand;
268 | DBGSETDEBUGGEEINITSCRIPT DbgSetDebuggeeInitScript;
269 | DBGGETDEBUGGEEINITSCRIPT DbgGetDebuggeeInitScript;
270 | HANDLESENUMWINDOWS EnumWindows;
271 | HANDLESENUMHEAPS EnumHeaps;
272 | THREADGETNAME ThreadGetName;
273 | ISDEPENABLED IsDepEnabled;
274 | GETCALLSTACKEX GetCallStackEx;
275 | GETUSERCOMMENT GetUserComment;
276 | ENUMCONSTANTS EnumConstants;
277 | ENUMCONSTANTS EnumErrorCodes;
278 | ENUMCONSTANTS EnumExceptions;
279 | MEMBPSIZE MemBpSize;
280 | MODRELOCATIONSFROMADDR ModRelocationsFromAddr;
281 | MODRELOCATIONATADDR ModRelocationAtAddr;
282 | MODRELOCATIONSINRANGE ModRelocationsInRange;
283 | DBGETHASH DbGetHash;
284 | SYMAUTOCOMPLETE SymAutoComplete;
285 | REFRESHMODULELIST RefreshModuleList;
286 | GETADDRFROMLINEEX GetAddrFromLineEx;
287 | MODSYMBOLSTATUS ModSymbolStatus;
288 | } DBGFUNCTIONS;
289 |
290 | #ifdef BUILD_DBG
291 |
292 | const DBGFUNCTIONS* dbgfunctionsget();
293 | void dbgfunctionsinit();
294 |
295 | #endif //BUILD_DBG
296 |
297 | #endif //_DBGFUNCTIONS_H
298 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_plugin_types.h:
--------------------------------------------------------------------------------
1 | #ifndef _PLUGIN_DATA_H
2 | #define _PLUGIN_DATA_H
3 |
4 | #ifdef BUILD_DBG
5 |
6 | #include "_global.h"
7 | #include "jansson/jansson.h"
8 | #pragma warning(push)
9 | #pragma warning(disable:4091)
10 | #include
11 | #pragma warning(pop)
12 |
13 | #else
14 |
15 | #ifdef __GNUC__
16 | #include "dbghelp/dbghelp.h"
17 | #else
18 | #pragma warning(push)
19 | #pragma warning(disable:4091)
20 | #include
21 | #pragma warning(pop)
22 | #endif // __GNUC__
23 |
24 | #ifndef deflen
25 | #define deflen 1024
26 | #endif // deflen
27 |
28 | #include "bridgemain.h"
29 | #include "_dbgfunctions.h"
30 | #include "jansson/jansson.h"
31 |
32 | #endif // BUILD_DBG
33 |
34 | #endif // _PLUGIN_DATA_H
35 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_plugins.h:
--------------------------------------------------------------------------------
1 | #ifndef _PLUGINS_H
2 | #define _PLUGINS_H
3 |
4 | #ifndef __cplusplus
5 | #include
6 | #endif
7 |
8 | #ifndef PLUG_IMPEXP
9 | #ifdef BUILD_DBG
10 | #define PLUG_IMPEXP __declspec(dllexport)
11 | #else
12 | #define PLUG_IMPEXP __declspec(dllimport)
13 | #endif //BUILD_DBG
14 | #endif //PLUG_IMPEXP
15 |
16 | #include "_plugin_types.h"
17 |
18 | //default structure alignments forced
19 | #ifdef _WIN64
20 | #pragma pack(push, 16)
21 | #else //x86
22 | #pragma pack(push, 8)
23 | #endif //_WIN64
24 |
25 | //defines
26 | #define PLUG_SDKVERSION 1
27 |
28 | #define PLUG_DB_LOADSAVE_DATA 1
29 | #define PLUG_DB_LOADSAVE_ALL 2
30 |
31 | //structures
32 | typedef struct
33 | {
34 | //provided by the debugger
35 | int pluginHandle;
36 | //provided by the pluginit function
37 | int sdkVersion;
38 | int pluginVersion;
39 | char pluginName[256];
40 | } PLUG_INITSTRUCT;
41 |
42 | typedef struct
43 | {
44 | //provided by the debugger
45 | HWND hwndDlg; //gui window handle
46 | int hMenu; //plugin menu handle
47 | int hMenuDisasm; //plugin disasm menu handle
48 | int hMenuDump; //plugin dump menu handle
49 | int hMenuStack; //plugin stack menu handle
50 | int hMenuGraph; //plugin graph menu handle
51 | int hMenuMemmap; //plugin memory map menu handle
52 | int hMenuSymmod; //plugin symbol module menu handle
53 | } PLUG_SETUPSTRUCT;
54 |
55 | typedef struct
56 | {
57 | void* data; //user data
58 | } PLUG_SCRIPTSTRUCT;
59 |
60 | //callback structures
61 | typedef struct
62 | {
63 | const char* szFileName;
64 | } PLUG_CB_INITDEBUG;
65 |
66 | typedef struct
67 | {
68 | void* reserved;
69 | } PLUG_CB_STOPDEBUG;
70 |
71 | typedef struct
72 | {
73 | CREATE_PROCESS_DEBUG_INFO* CreateProcessInfo;
74 | IMAGEHLP_MODULE64* modInfo;
75 | const char* DebugFileName;
76 | PROCESS_INFORMATION* fdProcessInfo;
77 | } PLUG_CB_CREATEPROCESS;
78 |
79 | typedef struct
80 | {
81 | EXIT_PROCESS_DEBUG_INFO* ExitProcess;
82 | } PLUG_CB_EXITPROCESS;
83 |
84 | typedef struct
85 | {
86 | CREATE_THREAD_DEBUG_INFO* CreateThread;
87 | DWORD dwThreadId;
88 | } PLUG_CB_CREATETHREAD;
89 |
90 | typedef struct
91 | {
92 | EXIT_THREAD_DEBUG_INFO* ExitThread;
93 | DWORD dwThreadId;
94 | } PLUG_CB_EXITTHREAD;
95 |
96 | typedef struct
97 | {
98 | void* reserved;
99 | } PLUG_CB_SYSTEMBREAKPOINT;
100 |
101 | typedef struct
102 | {
103 | LOAD_DLL_DEBUG_INFO* LoadDll;
104 | IMAGEHLP_MODULE64* modInfo;
105 | const char* modname;
106 | } PLUG_CB_LOADDLL;
107 |
108 | typedef struct
109 | {
110 | UNLOAD_DLL_DEBUG_INFO* UnloadDll;
111 | } PLUG_CB_UNLOADDLL;
112 |
113 | typedef struct
114 | {
115 | OUTPUT_DEBUG_STRING_INFO* DebugString;
116 | } PLUG_CB_OUTPUTDEBUGSTRING;
117 |
118 | typedef struct
119 | {
120 | EXCEPTION_DEBUG_INFO* Exception;
121 | } PLUG_CB_EXCEPTION;
122 |
123 | typedef struct
124 | {
125 | BRIDGEBP* breakpoint;
126 | } PLUG_CB_BREAKPOINT;
127 |
128 | typedef struct
129 | {
130 | void* reserved;
131 | } PLUG_CB_PAUSEDEBUG;
132 |
133 | typedef struct
134 | {
135 | void* reserved;
136 | } PLUG_CB_RESUMEDEBUG;
137 |
138 | typedef struct
139 | {
140 | void* reserved;
141 | } PLUG_CB_STEPPED;
142 |
143 | typedef struct
144 | {
145 | DWORD dwProcessId;
146 | } PLUG_CB_ATTACH;
147 |
148 | typedef struct
149 | {
150 | PROCESS_INFORMATION* fdProcessInfo;
151 | } PLUG_CB_DETACH;
152 |
153 | typedef struct
154 | {
155 | DEBUG_EVENT* DebugEvent;
156 | } PLUG_CB_DEBUGEVENT;
157 |
158 | typedef struct
159 | {
160 | int hEntry;
161 | } PLUG_CB_MENUENTRY;
162 |
163 | typedef struct
164 | {
165 | MSG* message;
166 | long* result;
167 | bool retval;
168 | } PLUG_CB_WINEVENT;
169 |
170 | typedef struct
171 | {
172 | MSG* message;
173 | bool retval;
174 | } PLUG_CB_WINEVENTGLOBAL;
175 |
176 | typedef struct
177 | {
178 | json_t* root;
179 | int loadSaveType;
180 | } PLUG_CB_LOADSAVEDB;
181 |
182 | typedef struct
183 | {
184 | const char* symbol;
185 | bool retval;
186 | } PLUG_CB_FILTERSYMBOL;
187 |
188 | typedef struct
189 | {
190 | duint cip;
191 | bool stop;
192 | } PLUG_CB_TRACEEXECUTE;
193 |
194 | typedef struct
195 | {
196 | int hWindow;
197 | duint VA;
198 | } PLUG_CB_SELCHANGED;
199 |
200 | typedef struct
201 | {
202 | BridgeCFGraphList graph;
203 | } PLUG_CB_ANALYZE;
204 |
205 | typedef struct
206 | {
207 | duint addr;
208 | BRIDGE_ADDRINFO* addrinfo;
209 | bool retval;
210 | } PLUG_CB_ADDRINFO;
211 |
212 | typedef struct
213 | {
214 | const char* string;
215 | duint value;
216 | int* value_size;
217 | bool* isvar;
218 | bool* hexonly;
219 | bool retval;
220 | } PLUG_CB_VALFROMSTRING;
221 |
222 | typedef struct
223 | {
224 | const char* string;
225 | duint value;
226 | bool retval;
227 | } PLUG_CB_VALTOSTRING;
228 |
229 | typedef struct
230 | {
231 | GUIMENUTYPE hMenu;
232 | } PLUG_CB_MENUPREPARE;
233 |
234 | //enums
235 | typedef enum
236 | {
237 | CB_INITDEBUG, //PLUG_CB_INITDEBUG
238 | CB_STOPDEBUG, //PLUG_CB_STOPDEBUG
239 | CB_CREATEPROCESS, //PLUG_CB_CREATEPROCESS
240 | CB_EXITPROCESS, //PLUG_CB_EXITPROCESS
241 | CB_CREATETHREAD, //PLUG_CB_CREATETHREAD
242 | CB_EXITTHREAD, //PLUG_CB_EXITTHREAD
243 | CB_SYSTEMBREAKPOINT, //PLUG_CB_SYSTEMBREAKPOINT
244 | CB_LOADDLL, //PLUG_CB_LOADDLL
245 | CB_UNLOADDLL, //PLUG_CB_UNLOADDLL
246 | CB_OUTPUTDEBUGSTRING, //PLUG_CB_OUTPUTDEBUGSTRING
247 | CB_EXCEPTION, //PLUG_CB_EXCEPTION
248 | CB_BREAKPOINT, //PLUG_CB_BREAKPOINT
249 | CB_PAUSEDEBUG, //PLUG_CB_PAUSEDEBUG
250 | CB_RESUMEDEBUG, //PLUG_CB_RESUMEDEBUG
251 | CB_STEPPED, //PLUG_CB_STEPPED
252 | CB_ATTACH, //PLUG_CB_ATTACHED (before attaching, after CB_INITDEBUG)
253 | CB_DETACH, //PLUG_CB_DETACH (before detaching, before CB_STOPDEBUG)
254 | CB_DEBUGEVENT, //PLUG_CB_DEBUGEVENT (called on any debug event)
255 | CB_MENUENTRY, //PLUG_CB_MENUENTRY
256 | CB_WINEVENT, //PLUG_CB_WINEVENT
257 | CB_WINEVENTGLOBAL, //PLUG_CB_WINEVENTGLOBAL
258 | CB_LOADDB, //PLUG_CB_LOADSAVEDB
259 | CB_SAVEDB, //PLUG_CB_LOADSAVEDB
260 | CB_FILTERSYMBOL, //PLUG_CB_FILTERSYMBOL
261 | CB_TRACEEXECUTE, //PLUG_CB_TRACEEXECUTE
262 | CB_SELCHANGED, //PLUG_CB_SELCHANGED
263 | CB_ANALYZE, //PLUG_CB_ANALYZE
264 | CB_ADDRINFO, //PLUG_CB_ADDRINFO
265 | CB_VALFROMSTRING, //PLUG_CB_VALFROMSTRING
266 | CB_VALTOSTRING, //PLUG_CB_VALTOSTRING
267 | CB_MENUPREPARE, //PLUG_CB_MENUPREPARE
268 | CB_LAST
269 | } CBTYPE;
270 |
271 | typedef enum
272 | {
273 | FORMAT_ERROR, //generic failure (no message)
274 | FORMAT_SUCCESS, //success
275 | FORMAT_ERROR_MESSAGE, //formatting failed but an error was put in the buffer (there are always at least 511 characters available).
276 | FORMAT_BUFFER_TOO_SMALL //buffer too small (x64dbg will retry until the buffer is big enough)
277 | } FORMATRESULT;
278 |
279 | //typedefs
280 | typedef void (*CBPLUGIN)(CBTYPE cbType, void* callbackInfo);
281 | typedef bool (*CBPLUGINCOMMAND)(int argc, char** argv);
282 | typedef void (*CBPLUGINSCRIPT)();
283 | typedef duint(*CBPLUGINEXPRFUNCTION)(int argc, duint* argv, void* userdata);
284 | typedef FORMATRESULT(*CBPLUGINFORMATFUNCTION)(char* dest, size_t destCount, int argc, char* argv[], duint value, void* userdata);
285 | typedef bool (*CBPLUGINPREDICATE)(void* userdata);
286 |
287 | //exports
288 | #ifdef __cplusplus
289 | extern "C"
290 | {
291 | #endif
292 |
293 | PLUG_IMPEXP void _plugin_registercallback(int pluginHandle, CBTYPE cbType, CBPLUGIN cbPlugin);
294 | PLUG_IMPEXP bool _plugin_unregistercallback(int pluginHandle, CBTYPE cbType);
295 | PLUG_IMPEXP bool _plugin_registercommand(int pluginHandle, const char* command, CBPLUGINCOMMAND cbCommand, bool debugonly);
296 | PLUG_IMPEXP bool _plugin_unregistercommand(int pluginHandle, const char* command);
297 | PLUG_IMPEXP void _plugin_logprintf(const char* format, ...);
298 | PLUG_IMPEXP void _plugin_logputs(const char* text);
299 | PLUG_IMPEXP void _plugin_logprint(const char* text);
300 | PLUG_IMPEXP void _plugin_debugpause();
301 | PLUG_IMPEXP void _plugin_debugskipexceptions(bool skip);
302 | PLUG_IMPEXP int _plugin_menuadd(int hMenu, const char* title);
303 | PLUG_IMPEXP bool _plugin_menuaddentry(int hMenu, int hEntry, const char* title);
304 | PLUG_IMPEXP bool _plugin_menuaddseparator(int hMenu);
305 | PLUG_IMPEXP bool _plugin_menuclear(int hMenu);
306 | PLUG_IMPEXP void _plugin_menuseticon(int hMenu, const ICONDATA* icon);
307 | PLUG_IMPEXP void _plugin_menuentryseticon(int pluginHandle, int hEntry, const ICONDATA* icon);
308 | PLUG_IMPEXP void _plugin_menuentrysetchecked(int pluginHandle, int hEntry, bool checked);
309 | PLUG_IMPEXP void _plugin_menusetvisible(int pluginHandle, int hMenu, bool visible);
310 | PLUG_IMPEXP void _plugin_menuentrysetvisible(int pluginHandle, int hEntry, bool visible);
311 | PLUG_IMPEXP void _plugin_menusetname(int pluginHandle, int hMenu, const char* name);
312 | PLUG_IMPEXP void _plugin_menuentrysetname(int pluginHandle, int hEntry, const char* name);
313 | PLUG_IMPEXP void _plugin_menuentrysethotkey(int pluginHandle, int hEntry, const char* hotkey);
314 | PLUG_IMPEXP bool _plugin_menuremove(int hMenu);
315 | PLUG_IMPEXP bool _plugin_menuentryremove(int pluginHandle, int hEntry);
316 | PLUG_IMPEXP void _plugin_startscript(CBPLUGINSCRIPT cbScript);
317 | PLUG_IMPEXP bool _plugin_waituntilpaused();
318 | PLUG_IMPEXP bool _plugin_registerexprfunction(int pluginHandle, const char* name, int argc, CBPLUGINEXPRFUNCTION cbFunction, void* userdata);
319 | PLUG_IMPEXP bool _plugin_unregisterexprfunction(int pluginHandle, const char* name);
320 | PLUG_IMPEXP bool _plugin_unload(const char* pluginName);
321 | PLUG_IMPEXP bool _plugin_load(const char* pluginName);
322 | PLUG_IMPEXP duint _plugin_hash(const void* data, duint size);
323 | PLUG_IMPEXP bool _plugin_registerformatfunction(int pluginHandle, const char* type, CBPLUGINFORMATFUNCTION cbFunction, void* userdata);
324 | PLUG_IMPEXP bool _plugin_unregisterformatfunction(int pluginHandle, const char* type);
325 |
326 | #ifdef __cplusplus
327 | }
328 | #endif
329 |
330 | #pragma pack(pop)
331 |
332 | #endif // _PLUGINS_H
333 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPT_API_H
2 | #define _SCRIPT_API_H
3 |
4 | #include "_plugins.h"
5 |
6 | #define SCRIPT_EXPORT PLUG_IMPEXP
7 |
8 | #endif //_SCRIPT_API_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_argument.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_ARGUMENT_H
2 | #define _SCRIPTAPI_ARGUMENT_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Argument
9 | {
10 | struct ArgumentInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rvaStart;
14 | duint rvaEnd;
15 | bool manual;
16 | duint instructioncount;
17 | };
18 |
19 | SCRIPT_EXPORT bool Add(duint start, duint end, bool manual, duint instructionCount = 0);
20 | SCRIPT_EXPORT bool Add(const ArgumentInfo* info);
21 | SCRIPT_EXPORT bool Get(duint addr, duint* start = nullptr, duint* end = nullptr, duint* instructionCount = nullptr);
22 | SCRIPT_EXPORT bool GetInfo(duint addr, ArgumentInfo* info);
23 | SCRIPT_EXPORT bool Overlaps(duint start, duint end);
24 | SCRIPT_EXPORT bool Delete(duint address);
25 | SCRIPT_EXPORT void DeleteRange(duint start, duint end, bool deleteManual = false);
26 | SCRIPT_EXPORT void Clear();
27 | SCRIPT_EXPORT bool GetList(ListOf(ArgumentInfo) list); //caller has the responsibility to free the list
28 | }; //Argument
29 | }; //Script
30 |
31 | #endif //_SCRIPTAPI_ARGUMENT_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_assembler.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_ASSEMBLER_H
2 | #define _SCRIPTAPI_ASSEMBLER_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Assembler
9 | {
10 | SCRIPT_EXPORT bool Assemble(duint addr, unsigned char* dest, int* size, const char* instruction); //dest[16]
11 | SCRIPT_EXPORT bool AssembleEx(duint addr, unsigned char* dest, int* size, const char* instruction, char* error); //dest[16], error[MAX_ERROR_SIZE]
12 | SCRIPT_EXPORT bool AssembleMem(duint addr, const char* instruction);
13 | SCRIPT_EXPORT bool AssembleMemEx(duint addr, const char* instruction, int* size, char* error, bool fillnop); //error[MAX_ERROR_SIZE]
14 | }; //Assembler
15 | }; //Script
16 |
17 | #endif //_SCRIPTAPI_ASSEMBLER_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_bookmark.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_BOOKMARK_H
2 | #define _SCRIPTAPI_BOOKMARK_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Bookmark
9 | {
10 | struct BookmarkInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rva;
14 | bool manual;
15 | };
16 |
17 | SCRIPT_EXPORT bool Set(duint addr, bool manual = false);
18 | SCRIPT_EXPORT bool Set(const BookmarkInfo* info);
19 | SCRIPT_EXPORT bool Get(duint addr);
20 | SCRIPT_EXPORT bool GetInfo(duint addr, BookmarkInfo* info);
21 | SCRIPT_EXPORT bool Delete(duint addr);
22 | SCRIPT_EXPORT void DeleteRange(duint start, duint end);
23 | SCRIPT_EXPORT void Clear();
24 | SCRIPT_EXPORT bool GetList(ListOf(BookmarkInfo) list); //caller has the responsibility to free the list
25 | }; //Bookmark
26 | }; //Script
27 |
28 | #endif //_SCRIPTAPI_BOOKMARK_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_comment.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_COMMENT_H
2 | #define _SCRIPTAPI_COMMENT_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Comment
9 | {
10 | struct CommentInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rva;
14 | char text[MAX_LABEL_SIZE];
15 | bool manual;
16 | };
17 |
18 | SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false);
19 | SCRIPT_EXPORT bool Set(const CommentInfo* info);
20 | SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_COMMENT_SIZE]
21 | SCRIPT_EXPORT bool GetInfo(duint addr, CommentInfo* info);
22 | SCRIPT_EXPORT bool Delete(duint addr);
23 | SCRIPT_EXPORT void DeleteRange(duint start, duint end);
24 | SCRIPT_EXPORT void Clear();
25 | SCRIPT_EXPORT bool GetList(ListOf(CommentInfo) list); //caller has the responsibility to free the list
26 | }; //Comment
27 | }; //Script
28 |
29 | #endif //_SCRIPTAPI_COMMENT_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_debug.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_DEBUG_H
2 | #define _SCRIPTAPI_DEBUG_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Debug
9 | {
10 | enum HardwareType
11 | {
12 | HardwareAccess,
13 | HardwareWrite,
14 | HardwareExecute
15 | };
16 |
17 | SCRIPT_EXPORT void Wait();
18 | SCRIPT_EXPORT void Run();
19 | SCRIPT_EXPORT void Pause();
20 | SCRIPT_EXPORT void Stop();
21 | SCRIPT_EXPORT void StepIn();
22 | SCRIPT_EXPORT void StepOver();
23 | SCRIPT_EXPORT void StepOut();
24 | SCRIPT_EXPORT bool SetBreakpoint(duint address);
25 | SCRIPT_EXPORT bool DeleteBreakpoint(duint address);
26 | SCRIPT_EXPORT bool DisableBreakpoint(duint address);
27 | SCRIPT_EXPORT bool SetHardwareBreakpoint(duint address, HardwareType type = HardwareExecute);
28 | SCRIPT_EXPORT bool DeleteHardwareBreakpoint(duint address);
29 | }; //Debug
30 | }; //Script
31 |
32 | #endif //_SCRIPTAPI_DEBUG_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_flag.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_FLAG_H
2 | #define _SCRIPTAPI_FLAG_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Flag
9 | {
10 | enum FlagEnum
11 | {
12 | ZF,
13 | OF,
14 | CF,
15 | PF,
16 | SF,
17 | TF,
18 | AF,
19 | DF,
20 | IF
21 | };
22 |
23 | SCRIPT_EXPORT bool Get(FlagEnum flag);
24 | SCRIPT_EXPORT bool Set(FlagEnum flag, bool value);
25 |
26 | SCRIPT_EXPORT bool GetZF();
27 | SCRIPT_EXPORT bool SetZF(bool value);
28 | SCRIPT_EXPORT bool GetOF();
29 | SCRIPT_EXPORT bool SetOF(bool value);
30 | SCRIPT_EXPORT bool GetCF();
31 | SCRIPT_EXPORT bool SetCF(bool value);
32 | SCRIPT_EXPORT bool GetPF();
33 | SCRIPT_EXPORT bool SetPF(bool value);
34 | SCRIPT_EXPORT bool GetSF();
35 | SCRIPT_EXPORT bool SetSF(bool value);
36 | SCRIPT_EXPORT bool GetTF();
37 | SCRIPT_EXPORT bool SetTF(bool value);
38 | SCRIPT_EXPORT bool GetAF();
39 | SCRIPT_EXPORT bool SetAF(bool value);
40 | SCRIPT_EXPORT bool GetDF();
41 | SCRIPT_EXPORT bool SetDF(bool value);
42 | SCRIPT_EXPORT bool GetIF();
43 | SCRIPT_EXPORT bool SetIF(bool value);
44 | };
45 | };
46 |
47 | #endif //_SCRIPTAPI_FLAG_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_function.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_FUNCTION_H
2 | #define _SCRIPTAPI_FUNCTION_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Function
9 | {
10 | struct FunctionInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rvaStart;
14 | duint rvaEnd;
15 | bool manual;
16 | duint instructioncount;
17 | };
18 |
19 | SCRIPT_EXPORT bool Add(duint start, duint end, bool manual, duint instructionCount = 0);
20 | SCRIPT_EXPORT bool Add(const FunctionInfo* info);
21 | SCRIPT_EXPORT bool Get(duint addr, duint* start = nullptr, duint* end = nullptr, duint* instructionCount = nullptr);
22 | SCRIPT_EXPORT bool GetInfo(duint addr, FunctionInfo* info);
23 | SCRIPT_EXPORT bool Overlaps(duint start, duint end);
24 | SCRIPT_EXPORT bool Delete(duint address);
25 | SCRIPT_EXPORT void DeleteRange(duint start, duint end, bool deleteManual);
26 | SCRIPT_EXPORT void DeleteRange(duint start, duint end);
27 | SCRIPT_EXPORT void Clear();
28 | SCRIPT_EXPORT bool GetList(ListOf(FunctionInfo) list); //caller has the responsibility to free the list
29 | }; //Function
30 | }; //Script
31 |
32 | #endif //_SCRIPTAPI_FUNCTION_H
33 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_gui.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_GUI_H
2 | #define _SCRIPTAPI_GUI_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Gui
9 | {
10 | namespace Disassembly
11 | {
12 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end);
13 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end);
14 | SCRIPT_EXPORT duint SelectionGetStart();
15 | SCRIPT_EXPORT duint SelectionGetEnd();
16 | }; //Disassembly
17 |
18 | namespace Dump
19 | {
20 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end);
21 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end);
22 | SCRIPT_EXPORT duint SelectionGetStart();
23 | SCRIPT_EXPORT duint SelectionGetEnd();
24 | }; //Dump
25 |
26 | namespace Stack
27 | {
28 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end);
29 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end);
30 | SCRIPT_EXPORT duint SelectionGetStart();
31 | SCRIPT_EXPORT duint SelectionGetEnd();
32 | }; //Stack
33 |
34 | namespace Graph
35 | {
36 | SCRIPT_EXPORT duint SelectionGetStart();
37 | }; //Graph
38 |
39 | namespace MemMap
40 | {
41 | SCRIPT_EXPORT duint SelectionGetStart();
42 | }; //MemoryMap
43 |
44 | namespace SymMod
45 | {
46 | SCRIPT_EXPORT duint SelectionGetStart();
47 | }; //SymMod
48 | }; //Gui
49 |
50 | namespace Gui
51 | {
52 | enum Window
53 | {
54 | DisassemblyWindow,
55 | DumpWindow,
56 | StackWindow,
57 | GraphWindow,
58 | MemMapWindow,
59 | SymModWindow
60 | };
61 |
62 | SCRIPT_EXPORT bool SelectionGet(Window window, duint* start, duint* end);
63 | SCRIPT_EXPORT bool SelectionSet(Window window, duint start, duint end);
64 | SCRIPT_EXPORT duint SelectionGetStart(Window window);
65 | SCRIPT_EXPORT duint SelectionGetEnd(Window window);
66 | SCRIPT_EXPORT void Message(const char* message);
67 | SCRIPT_EXPORT bool MessageYesNo(const char* message);
68 | SCRIPT_EXPORT bool InputLine(const char* title, char* text); //text[GUI_MAX_LINE_SIZE]
69 | SCRIPT_EXPORT bool InputValue(const char* title, duint* value);
70 | SCRIPT_EXPORT void Refresh();
71 | SCRIPT_EXPORT void AddQWidgetTab(void* qWidget);
72 | SCRIPT_EXPORT void ShowQWidgetTab(void* qWidget);
73 | SCRIPT_EXPORT void CloseQWidgetTab(void* qWidget);
74 |
75 | }; //Gui
76 | }; //Script
77 |
78 | #endif //_SCRIPTAPI_GUI_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_label.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_LABEL_H
2 | #define _SCRIPTAPI_LABEL_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Label
9 | {
10 | struct LabelInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rva;
14 | char text[MAX_LABEL_SIZE];
15 | bool manual;
16 | };
17 |
18 | SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false);
19 | SCRIPT_EXPORT bool Set(const LabelInfo* info);
20 | SCRIPT_EXPORT bool FromString(const char* label, duint* addr);
21 | SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_LABEL_SIZE]
22 | SCRIPT_EXPORT bool GetInfo(duint addr, LabelInfo* info);
23 | SCRIPT_EXPORT bool Delete(duint addr);
24 | SCRIPT_EXPORT void DeleteRange(duint start, duint end);
25 | SCRIPT_EXPORT void Clear();
26 | SCRIPT_EXPORT bool GetList(ListOf(LabelInfo) list); //caller has the responsibility to free the list
27 | }; //Label
28 | }; //Script
29 |
30 | #endif //_SCRIPTAPI_LABEL_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_memory.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_MEMORY_H
2 | #define _SCRIPTAPI_MEMORY_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Memory
9 | {
10 | SCRIPT_EXPORT bool Read(duint addr, void* data, duint size, duint* sizeRead);
11 | SCRIPT_EXPORT bool Write(duint addr, const void* data, duint size, duint* sizeWritten);
12 | SCRIPT_EXPORT bool IsValidPtr(duint addr);
13 | SCRIPT_EXPORT duint RemoteAlloc(duint addr, duint size);
14 | SCRIPT_EXPORT bool RemoteFree(duint addr);
15 | SCRIPT_EXPORT unsigned int GetProtect(duint addr, bool reserved = false, bool cache = true);
16 | SCRIPT_EXPORT duint GetBase(duint addr, bool reserved = false, bool cache = true);
17 | SCRIPT_EXPORT duint GetSize(duint addr, bool reserved = false, bool cache = true);
18 |
19 | SCRIPT_EXPORT unsigned char ReadByte(duint addr);
20 | SCRIPT_EXPORT bool WriteByte(duint addr, unsigned char data);
21 | SCRIPT_EXPORT unsigned short ReadWord(duint addr);
22 | SCRIPT_EXPORT bool WriteWord(duint addr, unsigned short data);
23 | SCRIPT_EXPORT unsigned int ReadDword(duint addr);
24 | SCRIPT_EXPORT bool WriteDword(duint addr, unsigned int data);
25 | SCRIPT_EXPORT unsigned long long ReadQword(duint addr);
26 | SCRIPT_EXPORT bool WriteQword(duint addr, unsigned long long data);
27 | SCRIPT_EXPORT duint ReadPtr(duint addr);
28 | SCRIPT_EXPORT bool WritePtr(duint addr, duint data);
29 | }; //Memory
30 | }; //Script
31 |
32 | #endif //_SCRIPTAPI_MEMORY_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_misc.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_MISC_H
2 | #define _SCRIPTAPI_MISC_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Misc
9 | {
10 | ///
11 | /// Evaluates an expression and returns the result. Analagous to using the Command field in x64dbg.
12 | ///
13 | /// Expressions can consist of memory locations, registers, flags, API names, labels, symbols, variables etc.
14 | ///
15 | /// Example: bool success = ParseExpression("[esp+8]", &val)
16 | ///
17 | /// The expression to evaluate.
18 | /// The result of the expression.
19 | /// True on success, False on failure.
20 | SCRIPT_EXPORT bool ParseExpression(const char* expression, duint* value);
21 |
22 | ///
23 | /// Returns the address of a function in the debuggee's memory space.
24 | ///
25 | /// Example: duint addr = RemoteGetProcAddress("kernel32.dll", "GetProcAddress")
26 | ///
27 | /// The name of the module.
28 | /// The name of the function.
29 | /// The address of the function in the debuggee.
30 | SCRIPT_EXPORT duint RemoteGetProcAddress(const char* module, const char* api);
31 |
32 | ///
33 | /// Returns the address for a label created in the disassembly window.
34 | ///
35 | /// Example: duint addr = ResolveLabel("sneaky_crypto")
36 | ///
37 | /// The name of the label to resolve.
38 | /// The memory address for the label.
39 | SCRIPT_EXPORT duint ResolveLabel(const char* label);
40 |
41 | ///
42 | /// Allocates the requested number of bytes from x64dbg's default process heap.
43 | ///
44 | /// Note: this allocation is in the debugger, not the debuggee.
45 | ///
46 | /// Memory allocated using this function should be Free'd after use.
47 | ///
48 | /// Example: void* addr = Alloc(0x100000)
49 | ///
50 | /// Number of bytes to allocate.
51 | /// A pointer to the newly allocated memory.
52 | SCRIPT_EXPORT void* Alloc(duint size);
53 |
54 | ///
55 | /// Frees memory previously allocated by Alloc.
56 | ///
57 | /// Example: Free(addr)
58 | ///
59 | /// Pointer returned by Alloc.
60 | /// Nothing.
61 | SCRIPT_EXPORT void Free(void* ptr);
62 | }; //Misc
63 | }; //Script
64 |
65 | #endif //_SCRIPTAPI_MISC_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_module.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_MODULE_H
2 | #define _SCRIPTAPI_MODULE_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Module
9 | {
10 | struct ModuleInfo
11 | {
12 | duint base;
13 | duint size;
14 | duint entry;
15 | int sectionCount;
16 | char name[MAX_MODULE_SIZE];
17 | char path[MAX_PATH];
18 | };
19 |
20 | struct ModuleSectionInfo
21 | {
22 | duint addr;
23 | duint size;
24 | char name[MAX_SECTION_SIZE * 5];
25 | };
26 |
27 | struct ModuleExport
28 | {
29 | duint ordinal;
30 | duint rva;
31 | duint va;
32 | bool forwarded;
33 | char forwardName[MAX_STRING_SIZE];
34 | char name[MAX_STRING_SIZE];
35 | char undecoratedName[MAX_STRING_SIZE];
36 | };
37 |
38 | struct ModuleImport
39 | {
40 | duint iatRva;
41 | duint iatVa;
42 | duint ordinal; //equal to -1 if imported by name
43 | char name[MAX_STRING_SIZE];
44 | char undecoratedName[MAX_STRING_SIZE];
45 | };
46 |
47 | SCRIPT_EXPORT bool InfoFromAddr(duint addr, ModuleInfo* info);
48 | SCRIPT_EXPORT bool InfoFromName(const char* name, ModuleInfo* info);
49 | SCRIPT_EXPORT duint BaseFromAddr(duint addr);
50 | SCRIPT_EXPORT duint BaseFromName(const char* name);
51 | SCRIPT_EXPORT duint SizeFromAddr(duint addr);
52 | SCRIPT_EXPORT duint SizeFromName(const char* name);
53 | SCRIPT_EXPORT bool NameFromAddr(duint addr, char* name); //name[MAX_MODULE_SIZE]
54 | SCRIPT_EXPORT bool PathFromAddr(duint addr, char* path); //path[MAX_PATH]
55 | SCRIPT_EXPORT bool PathFromName(const char* name, char* path); //path[MAX_PATH]
56 | SCRIPT_EXPORT duint EntryFromAddr(duint addr);
57 | SCRIPT_EXPORT duint EntryFromName(const char* name);
58 | SCRIPT_EXPORT int SectionCountFromAddr(duint addr);
59 | SCRIPT_EXPORT int SectionCountFromName(const char* name);
60 | SCRIPT_EXPORT bool SectionFromAddr(duint addr, int number, ModuleSectionInfo* section);
61 | SCRIPT_EXPORT bool SectionFromName(const char* name, int number, ModuleSectionInfo* section);
62 | SCRIPT_EXPORT bool SectionListFromAddr(duint addr, ListOf(ModuleSectionInfo) list);
63 | SCRIPT_EXPORT bool SectionListFromName(const char* name, ListOf(ModuleSectionInfo) list);
64 | SCRIPT_EXPORT bool GetMainModuleInfo(ModuleInfo* info);
65 | SCRIPT_EXPORT duint GetMainModuleBase();
66 | SCRIPT_EXPORT duint GetMainModuleSize();
67 | SCRIPT_EXPORT duint GetMainModuleEntry();
68 | SCRIPT_EXPORT int GetMainModuleSectionCount();
69 | SCRIPT_EXPORT bool GetMainModuleName(char* name); //name[MAX_MODULE_SIZE]
70 | SCRIPT_EXPORT bool GetMainModulePath(char* path); //path[MAX_PATH]
71 | SCRIPT_EXPORT bool GetMainModuleSectionList(ListOf(ModuleSectionInfo) list); //caller has the responsibility to free the list
72 | SCRIPT_EXPORT bool GetList(ListOf(ModuleInfo) list); //caller has the responsibility to free the list
73 | SCRIPT_EXPORT bool GetExports(const ModuleInfo* mod, ListOf(ModuleExport) list); //caller has the responsibility to free the list
74 | SCRIPT_EXPORT bool GetImports(const ModuleInfo* mod, ListOf(ModuleImport) list); //caller has the responsibility to free the list
75 | }; //Module
76 | }; //Script
77 |
78 | #endif //_SCRIPTAPI_MODULE_H
79 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_pattern.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_PATTERN_H
2 | #define _SCRIPTAPI_PATTERN_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Pattern
9 | {
10 | SCRIPT_EXPORT duint Find(unsigned char* data, duint datasize, const char* pattern);
11 | SCRIPT_EXPORT duint FindMem(duint start, duint size, const char* pattern);
12 | SCRIPT_EXPORT void Write(unsigned char* data, duint datasize, const char* pattern);
13 | SCRIPT_EXPORT void WriteMem(duint start, duint size, const char* pattern);
14 | SCRIPT_EXPORT bool SearchAndReplace(unsigned char* data, duint datasize, const char* searchpattern, const char* replacepattern);
15 | SCRIPT_EXPORT bool SearchAndReplaceMem(duint start, duint size, const char* searchpattern, const char* replacepattern);
16 | };
17 | };
18 |
19 | #endif //_SCRIPTAPI_FIND_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_stack.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_STACK_H
2 | #define _SCRIPTAPI_STACK_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Stack
9 | {
10 | SCRIPT_EXPORT duint Pop();
11 | SCRIPT_EXPORT duint Push(duint value); //returns the previous top, equal to Peek(1)
12 | SCRIPT_EXPORT duint Peek(int offset = 0); //offset is in multiples of Register::Size(), for easy x32/x64 portability
13 | }; //Stack
14 | }; //Script
15 |
16 | #endif //_SCRIPTAPI_STACK_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_symbol.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_SYMBOL_H
2 | #define _SCRIPTAPI_SYMBOL_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Symbol
9 | {
10 | enum SymbolType
11 | {
12 | Function, //user-defined function
13 | Import, //IAT entry
14 | Export //export
15 | };
16 |
17 | struct SymbolInfo
18 | {
19 | char mod[MAX_MODULE_SIZE];
20 | duint rva;
21 | char name[MAX_LABEL_SIZE];
22 | bool manual;
23 | SymbolType type;
24 | };
25 |
26 | SCRIPT_EXPORT bool GetList(ListOf(SymbolInfo) list); //caller has the responsibility to free the list
27 | }; //Symbol
28 | }; //Script
29 |
30 | #endif //_SCRIPTAPI_SYMBOL_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/bridgegraph.h:
--------------------------------------------------------------------------------
1 | #ifndef _GRAPH_H
2 | #define _GRAPH_H
3 |
4 | typedef struct
5 | {
6 | duint addr; //virtual address of the instruction
7 | unsigned char data[15]; //instruction bytes
8 | } BridgeCFInstruction;
9 |
10 | typedef struct
11 | {
12 | duint parentGraph; //function of which this node is a part
13 | duint start; //start of the block
14 | duint end; //end of the block (inclusive)
15 | duint brtrue; //destination if condition is true
16 | duint brfalse; //destination if condition is false
17 | duint icount; //number of instructions in node
18 | bool terminal; //node is a RET
19 | bool split; //node is a split (brtrue points to the next node)
20 | bool indirectcall; //node contains indirect calls (call reg, call [reg+X])
21 | void* userdata; //user data
22 | ListInfo exits; //exits (including brtrue and brfalse, duint)
23 | ListInfo instrs; //block instructions
24 | } BridgeCFNodeList;
25 |
26 | typedef struct
27 | {
28 | duint entryPoint; //graph entry point
29 | void* userdata; //user data
30 | ListInfo nodes; //graph nodes (BridgeCFNodeList)
31 | } BridgeCFGraphList;
32 |
33 | #ifdef __cplusplus
34 | #if _MSC_VER >= 1700 && !defined(NO_CPP11)
35 |
36 | #include
37 | #include
38 | #include
39 | #include
40 |
41 | struct BridgeCFNode
42 | {
43 | duint parentGraph = 0; //function of which this node is a part
44 | duint start = 0; //start of the block
45 | duint end = 0; //end of the block (inclusive)
46 | duint brtrue = 0; //destination if condition is true
47 | duint brfalse = 0; //destination if condition is false
48 | duint icount = 0; //number of instructions in node
49 | bool terminal = false; //node is a RET
50 | bool split = false; //node is a split (brtrue points to the next node)
51 | bool indirectcall = false; //node contains indirect calls (call reg, call [reg+X])
52 | void* userdata = nullptr; //user data
53 | std::vector exits; //exits (including brtrue and brfalse)
54 | std::vector instrs; //block instructions
55 |
56 | static void Free(const BridgeCFNodeList* nodeList)
57 | {
58 | if(!BridgeList::Free(&nodeList->exits))
59 | __debugbreak();
60 | if(!BridgeList::Free(&nodeList->instrs))
61 | __debugbreak();
62 | }
63 |
64 | BridgeCFNode() = default;
65 |
66 | BridgeCFNode(const BridgeCFNodeList* nodeList, bool freedata)
67 | {
68 | if(!nodeList)
69 | __debugbreak();
70 | parentGraph = nodeList->parentGraph;
71 | start = nodeList->start;
72 | end = nodeList->end;
73 | brtrue = nodeList->brtrue;
74 | brfalse = nodeList->brfalse;
75 | icount = nodeList->icount;
76 | terminal = nodeList->terminal;
77 | indirectcall = nodeList->indirectcall;
78 | split = nodeList->split;
79 | userdata = nodeList->userdata;
80 | if(!BridgeList::ToVector(&nodeList->exits, exits, freedata))
81 | __debugbreak();
82 | if(!BridgeList::ToVector(&nodeList->instrs, instrs, freedata))
83 | __debugbreak();
84 | }
85 |
86 | BridgeCFNode(duint parentGraph, duint start, duint end)
87 | : parentGraph(parentGraph),
88 | start(start),
89 | end(end)
90 | {
91 | }
92 |
93 | BridgeCFNodeList ToNodeList() const
94 | {
95 | BridgeCFNodeList out;
96 | out.parentGraph = parentGraph;
97 | out.start = start;
98 | out.end = end;
99 | out.brtrue = brtrue;
100 | out.brfalse = brfalse;
101 | out.icount = icount;
102 | out.terminal = terminal;
103 | out.indirectcall = indirectcall;
104 | out.split = split;
105 | out.userdata = userdata;
106 | BridgeList::CopyData(&out.exits, exits);
107 | BridgeList::CopyData(&out.instrs, instrs);
108 | return std::move(out);
109 | }
110 | };
111 |
112 | struct BridgeCFGraph
113 | {
114 | duint entryPoint; //graph entry point
115 | void* userdata; //user data
116 | std::unordered_map nodes; //CFNode.start -> CFNode
117 | std::unordered_map> parents; //CFNode.start -> parents
118 |
119 | static void Free(const BridgeCFGraphList* graphList)
120 | {
121 | if(!graphList || graphList->nodes.size != graphList->nodes.count * sizeof(BridgeCFNodeList))
122 | __debugbreak();
123 | auto data = (BridgeCFNodeList*)graphList->nodes.data;
124 | for(int i = 0; i < graphList->nodes.count; i++)
125 | BridgeCFNode::Free(&data[i]);
126 | BridgeFree(data);
127 | }
128 |
129 | explicit BridgeCFGraph(const BridgeCFGraphList* graphList, bool freedata)
130 | {
131 | if(!graphList || graphList->nodes.size != graphList->nodes.count * sizeof(BridgeCFNodeList))
132 | __debugbreak();
133 | entryPoint = graphList->entryPoint;
134 | userdata = graphList->userdata;
135 | auto data = (BridgeCFNodeList*)graphList->nodes.data;
136 | for(int i = 0; i < graphList->nodes.count; i++)
137 | AddNode(BridgeCFNode(&data[i], freedata));
138 | if(freedata && data)
139 | BridgeFree(data);
140 | }
141 |
142 | explicit BridgeCFGraph(duint entryPoint)
143 | : entryPoint(entryPoint),
144 | userdata(nullptr)
145 | {
146 | }
147 |
148 | void AddNode(const BridgeCFNode & node)
149 | {
150 | nodes[node.start] = node;
151 | AddParent(node.start, node.brtrue);
152 | AddParent(node.start, node.brfalse);
153 | }
154 |
155 | void AddParent(duint child, duint parent)
156 | {
157 | if(!child || !parent)
158 | return;
159 | auto found = parents.find(child);
160 | if(found == parents.end())
161 | {
162 | parents[child] = std::unordered_set();
163 | parents[child].insert(parent);
164 | }
165 | else
166 | found->second.insert(parent);
167 | }
168 |
169 | BridgeCFGraphList ToGraphList() const
170 | {
171 | BridgeCFGraphList out;
172 | out.entryPoint = entryPoint;
173 | out.userdata = userdata;
174 | std::vector nodeList;
175 | nodeList.reserve(nodes.size());
176 | for(const auto & nodeIt : nodes)
177 | nodeList.push_back(nodeIt.second.ToNodeList());
178 | BridgeList::CopyData(&out.nodes, nodeList);
179 | return std::move(out);
180 | }
181 | };
182 |
183 | #endif //_MSC_VER
184 | #endif //__cplusplus
185 |
186 | #endif //_GRAPH_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/bridgelist.h:
--------------------------------------------------------------------------------
1 | #ifndef _LIST_H
2 | #define _LIST_H
3 |
4 | typedef struct
5 | {
6 | int count; //Number of element in the list.
7 | size_t size; //Size of list in bytes (used for type checking).
8 | void* data; //Pointer to the list contents. Must be deleted by the caller using BridgeFree (or BridgeList::Free).
9 | } ListInfo;
10 |
11 | #define ListOf(Type) ListInfo*
12 |
13 | #ifdef __cplusplus
14 |
15 | #include
16 |
17 | /**
18 | \brief A list object. This object is NOT thread safe.
19 | \tparam Type BridgeList contents type.
20 | */
21 | template
22 | class BridgeList
23 | {
24 | public:
25 | /**
26 | \brief BridgeList constructor.
27 | \param _freeData (Optional) the free function.
28 | */
29 | explicit BridgeList()
30 | {
31 | memset(&_listInfo, 0, sizeof(_listInfo));
32 | }
33 |
34 | /**
35 | \brief BridgeList destructor.
36 | */
37 | ~BridgeList()
38 | {
39 | Cleanup();
40 | }
41 |
42 | /**
43 | \brief Gets the list data.
44 | \return Returns ListInfo->data. Can be null if the list was never initialized. Will be destroyed once this object goes out of scope!
45 | */
46 | Type* Data() const
47 | {
48 | return reinterpret_cast(_listInfo.data);
49 | }
50 |
51 | /**
52 | \brief Gets the number of elements in the list. This will crash the program if the data is not consistent with the specified template argument.
53 | \return The number of elements in the list.
54 | */
55 | int Count() const
56 | {
57 | if(_listInfo.size != _listInfo.count * sizeof(Type)) //make sure the user is using the correct type.
58 | __debugbreak();
59 | return _listInfo.count;
60 | }
61 |
62 | /**
63 | \brief Cleans up the list, freeing the list data when it is not null.
64 | */
65 | void Cleanup()
66 | {
67 | if(_listInfo.data)
68 | {
69 | BridgeFree(_listInfo.data);
70 | _listInfo.data = nullptr;
71 | }
72 | }
73 |
74 | /**
75 | \brief Reference operator (cleans up the previous list)
76 | \return Pointer to the ListInfo.
77 | */
78 | ListInfo* operator&()
79 | {
80 | Cleanup();
81 | return &_listInfo;
82 | }
83 |
84 | /**
85 | \brief Array indexer operator. This will crash if you try to access out-of-bounds.
86 | \param index Zero-based index of the item you want to get.
87 | \return Reference to a value at that index.
88 | */
89 | Type & operator[](size_t index) const
90 | {
91 | if(index >= size_t(Count())) //make sure the out-of-bounds access is caught as soon as possible.
92 | __debugbreak();
93 | return Data()[index];
94 | }
95 |
96 | /**
97 | \brief Copies data to a ListInfo structure..
98 | \param [out] listInfo If non-null, information describing the list.
99 | \param listData Data to copy in the ListInfo structure.
100 | \return true if it succeeds, false if it fails.
101 | */
102 | static bool CopyData(ListInfo* listInfo, const std::vector & listData)
103 | {
104 | if(!listInfo)
105 | return false;
106 | listInfo->count = int(listData.size());
107 | listInfo->size = listInfo->count * sizeof(Type);
108 | if(listInfo->count)
109 | {
110 | listInfo->data = BridgeAlloc(listInfo->size);
111 | Type* curItem = reinterpret_cast(listInfo->data);
112 | for(const auto & item : listData)
113 | {
114 | *curItem = item;
115 | ++curItem;
116 | }
117 | }
118 | else
119 | listInfo->data = nullptr;
120 | return true;
121 | }
122 |
123 | static bool Free(const ListInfo* listInfo)
124 | {
125 | if(!listInfo || listInfo->size != listInfo->count * sizeof(Type) || (listInfo->count && !listInfo->data))
126 | return false;
127 | BridgeFree(listInfo->data);
128 | return true;
129 | }
130 |
131 | static bool ToVector(const ListInfo* listInfo, std::vector & listData, bool freedata = true)
132 | {
133 | if(!listInfo || listInfo->size != listInfo->count * sizeof(Type) || (listInfo->count && !listInfo->data))
134 | return false;
135 | listData.resize(listInfo->count);
136 | for(int i = 0; i < listInfo->count; i++)
137 | listData[i] = ((Type*)listInfo->data)[i];
138 | if(freedata && listInfo->data)
139 | BridgeFree(listInfo->data);
140 | return true;
141 | }
142 |
143 | private:
144 | ListInfo _listInfo;
145 | };
146 |
147 | #endif //__cplusplus
148 |
149 | #endif //_LIST_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/dbghelp/dbghelp_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/dbghelp/dbghelp_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/dbghelp/dbghelp_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/dbghelp/dbghelp_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/dbghelp/dbghelp_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/dbghelp/dbghelp_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/dbghelp/dbghelp_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/dbghelp/dbghelp_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_config.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 2010-2016 Petri Lehtinen
3 | *
4 | * Jansson is free software; you can redistribute it and/or modify
5 | * it under the terms of the MIT license. See LICENSE for details.
6 | *
7 | *
8 | * This file specifies a part of the site-specific configuration for
9 | * Jansson, namely those things that affect the public API in
10 | * jansson.h.
11 | *
12 | * The CMake system will generate the jansson_config.h file and
13 | * copy it to the build and install directories.
14 | */
15 |
16 | #ifndef JANSSON_CONFIG_H
17 | #define JANSSON_CONFIG_H
18 |
19 | /* Define this so that we can disable scattered automake configuration in source files */
20 | #ifndef JANSSON_USING_CMAKE
21 | #define JANSSON_USING_CMAKE
22 | #endif
23 |
24 | /* Note: when using cmake, JSON_INTEGER_IS_LONG_LONG is not defined nor used,
25 | * as we will also check for __int64 etc types.
26 | * (the definition was used in the automake system) */
27 |
28 | /* Bring in the cmake-detected defines */
29 | #define HAVE_STDINT_H 1
30 | /* #undef HAVE_INTTYPES_H */
31 | /* #undef HAVE_SYS_TYPES_H */
32 |
33 | /* Include our standard type header for the integer typedef */
34 |
35 | #if defined(HAVE_STDINT_H)
36 | # include
37 | #elif defined(HAVE_INTTYPES_H)
38 | # include
39 | #elif defined(HAVE_SYS_TYPES_H)
40 | # include
41 | #endif
42 |
43 |
44 | /* If your compiler supports the inline keyword in C, JSON_INLINE is
45 | defined to `inline', otherwise empty. In C++, the inline is always
46 | supported. */
47 | #ifdef __cplusplus
48 | #define JSON_INLINE inline
49 | #else
50 | #define JSON_INLINE __inline
51 | #endif
52 |
53 |
54 | #define json_int_t long long
55 | #define json_strtoint strtoll
56 | #define JSON_INTEGER_FORMAT "I64d"
57 |
58 |
59 | /* If locale.h and localeconv() are available, define to 1, otherwise to 0. */
60 | #define JSON_HAVE_LOCALECONV 1
61 |
62 |
63 | /* Maximum recursion depth for parsing JSON input.
64 | This limits the depth of e.g. array-within-array constructions. */
65 | #define JSON_PARSER_MAX_DEPTH 2048
66 |
67 |
68 | #endif
69 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/jansson/jansson_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/jansson/jansson_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x64dbg.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include "jansson.h"
4 |
5 | typedef json_t* JSON;
6 |
7 | static JSON_INLINE
8 | json_t* json_hex(unsigned json_int_t value)
9 | {
10 | char hexvalue[20];
11 | sprintf_s(hexvalue, "0x%llX", value);
12 | return json_string(hexvalue);
13 | }
14 |
15 | static JSON_INLINE
16 | unsigned json_int_t json_hex_value(const json_t* hex)
17 | {
18 | unsigned json_int_t ret = 0;
19 | const char* hexvalue;
20 | hexvalue = json_string_value(hex);
21 | if(!hexvalue)
22 | return 0;
23 | sscanf_s(hexvalue, "0x%llX", &ret);
24 | return ret;
25 | }
26 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/jansson/jansson_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/jansson/jansson_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/lz4/lz4_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/lz4/lz4_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/lz4/lz4_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/lz4/lz4_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4file.h:
--------------------------------------------------------------------------------
1 | #ifndef _LZ4FILE_H
2 | #define _LZ4FILE_H
3 |
4 | typedef enum _LZ4_STATUS
5 | {
6 | LZ4_SUCCESS,
7 | LZ4_FAILED_OPEN_INPUT,
8 | LZ4_FAILED_OPEN_OUTPUT,
9 | LZ4_NOT_ENOUGH_MEMORY,
10 | LZ4_INVALID_ARCHIVE,
11 | LZ4_CORRUPTED_ARCHIVE
12 | } LZ4_STATUS;
13 |
14 | #if defined (__cplusplus)
15 | extern "C"
16 | {
17 | #endif
18 |
19 | __declspec(dllimport) LZ4_STATUS LZ4_compress_file(const char* input_filename, const char* output_filename);
20 | __declspec(dllimport) LZ4_STATUS LZ4_compress_fileW(const wchar_t* input_filename, const wchar_t* output_filename);
21 | __declspec(dllimport) LZ4_STATUS LZ4_decompress_file(const char* input_filename, const char* output_filename);
22 | __declspec(dllimport) LZ4_STATUS LZ4_decompress_fileW(const wchar_t* input_filename, const wchar_t* output_filename);
23 |
24 | #if defined (__cplusplus)
25 | }
26 | #endif
27 |
28 | #endif //_LZ4FILE_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4hc.h:
--------------------------------------------------------------------------------
1 | /*
2 | LZ4 HC - High Compression Mode of LZ4
3 | Header File
4 | Copyright (C) 2011-2014, Yann Collet.
5 | BSD 2-Clause License (http://www.opensource.org/licenses/bsd-license.php)
6 |
7 | Redistribution and use in source and binary forms, with or without
8 | modification, are permitted provided that the following conditions are
9 | met:
10 |
11 | * Redistributions of source code must retain the above copyright
12 | notice, this list of conditions and the following disclaimer.
13 | * Redistributions in binary form must reproduce the above
14 | copyright notice, this list of conditions and the following disclaimer
15 | in the documentation and/or other materials provided with the
16 | distribution.
17 |
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 |
30 | You can contact the author at :
31 | - LZ4 homepage : http://fastcompression.blogspot.com/p/lz4.html
32 | - LZ4 source repository : http://code.google.com/p/lz4/
33 | */
34 | #ifndef _LZ4HC_H
35 | #define _LZ4HC_H
36 |
37 | #if defined (__cplusplus)
38 | extern "C"
39 | {
40 | #endif
41 |
42 |
43 | __declspec(dllimport) int LZ4_compressHC(const char* source, char* dest, int inputSize);
44 | /*
45 | LZ4_compressHC :
46 | return : the number of bytes in compressed buffer dest
47 | or 0 if compression fails.
48 | note : destination buffer must be already allocated.
49 | To avoid any problem, size it to handle worst cases situations (input data not compressible)
50 | Worst case size evaluation is provided by function LZ4_compressBound() (see "lz4.h")
51 | */
52 |
53 | __declspec(dllimport) int LZ4_compressHC_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize);
54 | /*
55 | LZ4_compress_limitedOutput() :
56 | Compress 'inputSize' bytes from 'source' into an output buffer 'dest' of maximum size 'maxOutputSize'.
57 | If it cannot achieve it, compression will stop, and result of the function will be zero.
58 | This function never writes outside of provided output buffer.
59 |
60 | inputSize : Max supported value is 1 GB
61 | maxOutputSize : is maximum allowed size into the destination buffer (which must be already allocated)
62 | return : the number of output bytes written in buffer 'dest'
63 | or 0 if compression fails.
64 | */
65 |
66 |
67 | __declspec(dllimport) int LZ4_compressHC2(const char* source, char* dest, int inputSize, int compressionLevel);
68 | __declspec(dllimport) int LZ4_compressHC2_limitedOutput(const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel);
69 | /*
70 | Same functions as above, but with programmable 'compressionLevel'.
71 | Recommended values are between 4 and 9, although any value between 0 and 16 will work.
72 | 'compressionLevel'==0 means use default 'compressionLevel' value.
73 | Values above 16 behave the same as 16.
74 | Equivalent variants exist for all other compression functions below.
75 | */
76 |
77 | /* Note :
78 | Decompression functions are provided within LZ4 source code (see "lz4.h") (BSD license)
79 | */
80 |
81 |
82 | /**************************************
83 | Using an external allocation
84 | **************************************/
85 | __declspec(dllimport) int LZ4_sizeofStateHC(void);
86 | __declspec(dllimport) int LZ4_compressHC_withStateHC(void* state, const char* source, char* dest, int inputSize);
87 | __declspec(dllimport) int LZ4_compressHC_limitedOutput_withStateHC(void* state, const char* source, char* dest, int inputSize, int maxOutputSize);
88 |
89 | __declspec(dllimport) int LZ4_compressHC2_withStateHC(void* state, const char* source, char* dest, int inputSize, int compressionLevel);
90 | __declspec(dllimport) int LZ4_compressHC2_limitedOutput_withStateHC(void* state, const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel);
91 |
92 | /*
93 | These functions are provided should you prefer to allocate memory for compression tables with your own allocation methods.
94 | To know how much memory must be allocated for the compression tables, use :
95 | int LZ4_sizeofStateHC();
96 |
97 | Note that tables must be aligned for pointer (32 or 64 bits), otherwise compression will fail (return code 0).
98 |
99 | The allocated memory can be provided to the compressions functions using 'void* state' parameter.
100 | LZ4_compress_withStateHC() and LZ4_compress_limitedOutput_withStateHC() are equivalent to previously described functions.
101 | They just use the externally allocated memory area instead of allocating their own (on stack, or on heap).
102 | */
103 |
104 |
105 | /**************************************
106 | Streaming Functions
107 | **************************************/
108 | __declspec(dllimport) void* LZ4_createHC(const char* inputBuffer);
109 | __declspec(dllimport) int LZ4_compressHC_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize);
110 | __declspec(dllimport) int LZ4_compressHC_limitedOutput_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int maxOutputSize);
111 | __declspec(dllimport) char* LZ4_slideInputBufferHC(void* LZ4HC_Data);
112 | __declspec(dllimport) int LZ4_freeHC(void* LZ4HC_Data);
113 |
114 | __declspec(dllimport) int LZ4_compressHC2_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int compressionLevel);
115 | __declspec(dllimport) int LZ4_compressHC2_limitedOutput_continue(void* LZ4HC_Data, const char* source, char* dest, int inputSize, int maxOutputSize, int compressionLevel);
116 |
117 | /*
118 | These functions allow the compression of dependent blocks, where each block benefits from prior 64 KB within preceding blocks.
119 | In order to achieve this, it is necessary to start creating the LZ4HC Data Structure, thanks to the function :
120 |
121 | void* LZ4_createHC (const char* inputBuffer);
122 | The result of the function is the (void*) pointer on the LZ4HC Data Structure.
123 | This pointer will be needed in all other functions.
124 | If the pointer returned is NULL, then the allocation has failed, and compression must be aborted.
125 | The only parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer.
126 | The input buffer must be already allocated, and size at least 192KB.
127 | 'inputBuffer' will also be the 'const char* source' of the first block.
128 |
129 | All blocks are expected to lay next to each other within the input buffer, starting from 'inputBuffer'.
130 | To compress each block, use either LZ4_compressHC_continue() or LZ4_compressHC_limitedOutput_continue().
131 | Their behavior are identical to LZ4_compressHC() or LZ4_compressHC_limitedOutput(),
132 | but require the LZ4HC Data Structure as their first argument, and check that each block starts right after the previous one.
133 | If next block does not begin immediately after the previous one, the compression will fail (return 0).
134 |
135 | When it's no longer possible to lay the next block after the previous one (not enough space left into input buffer), a call to :
136 | char* LZ4_slideInputBufferHC(void* LZ4HC_Data);
137 | must be performed. It will typically copy the latest 64KB of input at the beginning of input buffer.
138 | Note that, for this function to work properly, minimum size of an input buffer must be 192KB.
139 | ==> The memory position where the next input data block must start is provided as the result of the function.
140 |
141 | Compression can then resume, using LZ4_compressHC_continue() or LZ4_compressHC_limitedOutput_continue(), as usual.
142 |
143 | When compression is completed, a call to LZ4_freeHC() will release the memory used by the LZ4HC Data Structure.
144 | */
145 |
146 | __declspec(dllimport) int LZ4_sizeofStreamStateHC(void);
147 | __declspec(dllimport) int LZ4_resetStreamStateHC(void* state, const char* inputBuffer);
148 |
149 | /*
150 | These functions achieve the same result as :
151 | void* LZ4_createHC (const char* inputBuffer);
152 |
153 | They are provided here to allow the user program to allocate memory using its own routines.
154 |
155 | To know how much space must be allocated, use LZ4_sizeofStreamStateHC();
156 | Note also that space must be aligned for pointers (32 or 64 bits).
157 |
158 | Once space is allocated, you must initialize it using : LZ4_resetStreamStateHC(void* state, const char* inputBuffer);
159 | void* state is a pointer to the space allocated.
160 | It must be aligned for pointers (32 or 64 bits), and be large enough.
161 | The parameter 'const char* inputBuffer' must, obviously, point at the beginning of input buffer.
162 | The input buffer must be already allocated, and size at least 192KB.
163 | 'inputBuffer' will also be the 'const char* source' of the first block.
164 |
165 | The same space can be re-used multiple times, just by initializing it each time with LZ4_resetStreamState().
166 | return value of LZ4_resetStreamStateHC() must be 0 is OK.
167 | Any other value means there was an error (typically, state is not aligned for pointers (32 or 64 bits)).
168 | */
169 |
170 |
171 | #if defined (__cplusplus)
172 | }
173 | #endif
174 |
175 | #endif //_LZ4HC_H
176 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/x32bridge.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/x32bridge.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/x32dbg.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/x32dbg.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/x64bridge.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/x64bridge.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/x64dbg.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/pluginsdk/x64dbg.lib
--------------------------------------------------------------------------------
/HyperHide/resource.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define DLG_MAIN 100
4 | #define IDB_ICON 101
5 | #define IDC_CHK_NTQUERYINFORMATIONPROCESS 1000
6 | #define IDC_CHK_NTQUERYSYSTEMINFORMATION 1001
7 | #define IDC_CHK_NTQUERYINFORMATIONTHREAD 1002
8 | #define IDC_CHK_NTQUERYINFORMATIONJOBOBJECT 1003
9 | #define IDC_CHK_NTQUERYOBJECT 1004
10 | #define IDC_CHK_NTQUERYSYSTEMTIME 1005
11 | #define IDC_CHK_NTQUERYPERFORMANCECOUNTER 1006
12 | #define IDC_CHK_NTCREATEUSERPROCESS 1007
13 | #define IDC_CHK_NTCREATEPROCESSEX 1008
14 | #define IDC_CHK_NTCREATETHREADEX 1009
15 | #define IDC_CHK_NTSETCONTEXTTHREAD 1010
16 | #define IDC_CHK_NTGETCONTEXTTHREAD 1011
17 | #define IDC_CHK_NTOPENPROCESS 1012
18 | #define IDC_CHK_NTOPENTHREAD 1013
19 | #define IDC_CHK_NTSETINFORMATIONTHREAD 1014
20 | #define IDC_CHK_NTSYSTEMDEBUGCONTROL 1015
21 | #define IDC_CHK_NTGETNEXTPROCESS 1016
22 | #define IDC_CHK_NTYIELDEXECUTION 1017
23 | #define IDC_CHK_NTCREATEFILE 1018
24 | #define IDC_CHK_NTCONTINUE 1019
25 | #define IDC_CHK_NTCLOSE 1020
26 | #define IDC_CHK_NTUSERBUILDHWNDLIST 1021
27 | #define IDC_CHK_NTUSERFINDWINDOWEX 1022
28 | #define IDC_CHK_NTUSERQUERYWINDOW 1023
29 | #define IDC_CHK_NTUSERGETFOREGROUNDWINDOW 1024
30 | #define IDC_CHK_KUSER_SHARED_DATA 1025
31 | #define IDC_CHK_KIEXCEPTIONDISPATCH 1026
32 | #define IDC_CHK_NTSETINFORMATIONPROCESS 1027
33 | #define IDC_CHK_CLEARPEBBEINGDEBUGGED 1028
34 | #define IDC_CHK_CLEARPEBNTGLOBALFLAG 1029
35 | #define IDC_CHK_CLEARHEAPFLAGS 1030
36 | #define IDC_CHK_CLEARKUSERSHAREDDATA 1031
37 | #define IDC_CHK_CLEARHIDEFROMDEBUGGER 1032
38 | #define IDC_CHK_CLEARBYPASSFREEZEFLAG 1033
39 | #define IDC_CHK_CLEARPROCESSBREAKONTERM 1034
40 | #define IDC_CHK_CLEARTHREADBREAKONTERM 1035
41 | #define IDC_CHK_SAVEPROCESSDEBUGFLAGS 1036
42 | #define IDC_CHK_SAVEPROCESSHANDLETRACING 1037
43 | #define IDC_CHK_SELECT_ALL 1038
44 | #define IDC_COB_CURRENTPROFILE 2000
45 | #define IDC_BTN_OK 3000
46 | #define IDC_BTN_CREATENEWPROFILE 3001
47 | #define IDC_TXT_COPYRIGHT 4000
48 | #define IDC_TXT_CURRENT 4001
49 |
--------------------------------------------------------------------------------
/HyperHide/resource.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/HyperHide/resource.rc
--------------------------------------------------------------------------------
/HyperHideDrv/Dispatcher.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | #include
3 | #include "Ioctl.h"
4 | #include "Hider.h"
5 | #include "Utils.h"
6 | #include "KuserSharedData.h"
7 | #include "GlobalData.h"
8 | #include "Peb.h"
9 | #include "HypervisorGateway.h"
10 |
11 | extern HYPER_HIDE_GLOBAL_DATA g_HyperHide;
12 |
13 | NTSTATUS DrvIOCTLDispatcher(_In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp)
14 | {
15 | UNREFERENCED_PARAMETER(DeviceObject);
16 | PIO_STACK_LOCATION Stack = IoGetCurrentIrpStackLocation(Irp);
17 | NTSTATUS Status = STATUS_SUCCESS;
18 |
19 | switch (Stack->Parameters.DeviceIoControl.IoControlCode)
20 | {
21 | case IOCTL_ADD_HIDER_ENTRY:
22 | {
23 | ULONG* Pid = (ULONG*)Irp->AssociatedIrp.SystemBuffer;
24 | if (Hider::CreateEntry(IoGetCurrentProcess(), PidToProcess(*Pid)) == FALSE)
25 | Status = STATUS_UNSUCCESSFUL;
26 | else
27 | g_HyperHide.NumberOfActiveDebuggers++;
28 | break;
29 | }
30 |
31 | case IOCTL_REMOVE_HIDER_ENTRY:
32 | {
33 | ULONG* Pid = (ULONG*)Irp->AssociatedIrp.SystemBuffer;
34 | if (Hider::RemoveEntry(PidToProcess(*Pid)) == FALSE)
35 | Status = STATUS_UNSUCCESSFUL;
36 | else
37 | g_HyperHide.NumberOfActiveDebuggers--;
38 | break;
39 | }
40 |
41 | case IOCTL_HIDE_FROM_SYSCALL:
42 | {
43 | PHIDE_INFO HideInfo = (PHIDE_INFO)Irp->AssociatedIrp.SystemBuffer;
44 |
45 | if (Hider::Hide(HideInfo) == FALSE)
46 | Status = STATUS_UNSUCCESSFUL;
47 | break;
48 | }
49 |
50 | case IOCTL_PROCESS_RESUMED:
51 | {
52 | ULONG* Pid = (ULONG*)Irp->AssociatedIrp.SystemBuffer;
53 | UpdateDelta(PidToProcess(*Pid));
54 | if (Hider::ResumeCounterForProcess(PidToProcess(*Pid)) == FALSE)
55 | Status = STATUS_UNSUCCESSFUL;
56 | break;
57 | }
58 |
59 | case IOCTL_PROCESS_STOPPED:
60 | {
61 | ULONG* Pid = (ULONG*)Irp->AssociatedIrp.SystemBuffer;
62 | GetBegin(PidToProcess(*Pid));
63 |
64 | if (Hider::StopCounterForProcess(PidToProcess(*Pid)) == FALSE)
65 | Status = STATUS_UNSUCCESSFUL;
66 | break;
67 | }
68 |
69 | case IOCTL_CLEAR_PEB_DEBUGGER_FLAG:
70 | {
71 | ULONG* Pid = (ULONG*)Irp->AssociatedIrp.SystemBuffer;
72 |
73 | if (SetPebDeuggerFlag(PidToProcess(*Pid),FALSE) == FALSE)
74 | Status = STATUS_UNSUCCESSFUL;
75 | break;
76 | }
77 |
78 | case IOCTL_SET_PEB_DEBUGGER_FLAG:
79 | {
80 | ULONG* Pid = (ULONG*)Irp->AssociatedIrp.SystemBuffer;
81 |
82 | if (SetPebDeuggerFlag(PidToProcess(*Pid), TRUE) == FALSE)
83 | Status = STATUS_UNSUCCESSFUL;
84 | break;
85 | }
86 |
87 | case IOCTL_SET_HYPERVISOR_VISIBILITY:
88 | {
89 | BOOLEAN Value = *(BOOLEAN*)Irp->AssociatedIrp.SystemBuffer;
90 | hv::hypervisor_visible(Value);
91 | break;
92 | }
93 |
94 | }
95 |
96 | Irp->IoStatus.Status = Status;
97 | Irp->IoStatus.Information = 0;
98 |
99 | IoCompleteRequest(Irp, IO_NO_INCREMENT);
100 | return Status;
101 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Dispatcher.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | NTSTATUS DrvIOCTLDispatcher(_In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp);
--------------------------------------------------------------------------------
/HyperHideDrv/Driver.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | #include
3 | #include "Log.h"
4 | #include "Utils.h"
5 | #include "HookedFunctions.h"
6 | #include "GlobalData.h"
7 | #include "HypervisorGateway.h"
8 | #include "Dispatcher.h"
9 | #include "Notifiers.h"
10 | #include "Ssdt.h"
11 | #include "Ntapi.h"
12 | #include
13 |
14 | HYPER_HIDE_GLOBAL_DATA g_HyperHide = { 0 };
15 |
16 | VOID DrvUnload(PDRIVER_OBJECT DriverObject)
17 | {
18 | Hider::Uninitialize();
19 |
20 | LARGE_INTEGER WaitTime;
21 | WaitTime.QuadPart = -1000000LL; // 100ms
22 | KeDelayExecutionThread(KernelMode, FALSE, &WaitTime);
23 |
24 | PsRemoveCreateThreadNotifyRoutine(ThreadNotifyRoutine);
25 | PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutine, TRUE);
26 |
27 | hv::unhook_all_functions();
28 |
29 | KeDelayExecutionThread(KernelMode, FALSE, &WaitTime);
30 |
31 | UNICODE_STRING DosDeviceName;
32 | RtlInitUnicodeString(&DosDeviceName, L"\\DosDevices\\HyperHideDrv");
33 | IoDeleteSymbolicLink(&DosDeviceName);
34 |
35 | IoDeleteDevice(DriverObject->DeviceObject);
36 |
37 | LogInfo("Driver Unloaded");
38 | }
39 |
40 | NTSTATUS DrvClose(_In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp)
41 | {
42 | UNREFERENCED_PARAMETER(DeviceObject);
43 | Irp->IoStatus.Status = STATUS_SUCCESS;
44 |
45 | if (Hider::RemoveEntry(IoGetCurrentProcess()) == FALSE)
46 | Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
47 |
48 | Irp->IoStatus.Information = 0;
49 |
50 | IoCompleteRequest(Irp, IO_NO_INCREMENT);
51 |
52 | return STATUS_SUCCESS;
53 | }
54 |
55 | NTSTATUS DrvCreate(_In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp)
56 | {
57 | UNREFERENCED_PARAMETER(DeviceObject);
58 |
59 | Irp->IoStatus.Status = STATUS_SUCCESS;
60 | Irp->IoStatus.Information = 0;
61 |
62 | IoCompleteRequest(Irp, IO_NO_INCREMENT);
63 |
64 | return STATUS_SUCCESS;
65 | }
66 |
67 | extern "C"
68 | NTSTATUS DriverEntry(PDRIVER_OBJECT Driver, PCUNICODE_STRING Reg)
69 | {
70 | UNREFERENCED_PARAMETER(Reg);
71 |
72 | PDEVICE_OBJECT DeviceObject;
73 | UNICODE_STRING DriverName, DosDeviceName;
74 | OSVERSIONINFOW OsVersion;
75 |
76 | RtlGetVersion(&OsVersion);
77 | g_HyperHide.CurrentWindowsBuildNumber = OsVersion.dwBuildNumber;
78 |
79 | __try
80 | {
81 | if (hv::test_vmcall() == FALSE)
82 | return STATUS_UNSUCCESSFUL;
83 | }
84 | __except (EXCEPTION_EXECUTE_HANDLER)
85 | {
86 | return STATUS_UNSUCCESSFUL;
87 | }
88 |
89 | LogInfo("HyperVisor On");
90 |
91 | if (GetOffsets() == FALSE)
92 | return STATUS_UNSUCCESSFUL;
93 |
94 | LogInfo("Got offsets");
95 |
96 | if (SSDT::GetSsdt() == FALSE)
97 | return STATUS_UNSUCCESSFUL;
98 |
99 | LogInfo("Got Ssdt");
100 |
101 | if (Hider::Initialize() == FALSE)
102 | return STATUS_UNSUCCESSFUL;
103 |
104 | LogInfo("Hider Initialized");
105 |
106 | if(NT_SUCCESS(PsSetCreateThreadNotifyRoutine(ThreadNotifyRoutine)) == FALSE)
107 | {
108 | Hider::Uninitialize();
109 | return STATUS_UNSUCCESSFUL;
110 | }
111 |
112 | LogInfo("PsSetCreateThreadNotifyRoutine succeded");
113 |
114 | if (NT_SUCCESS(PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutine, FALSE)) == FALSE)
115 | {
116 | Hider::Uninitialize();
117 | PsRemoveCreateThreadNotifyRoutine(ThreadNotifyRoutine);
118 | return STATUS_UNSUCCESSFUL;
119 | }
120 |
121 | LogInfo("PsSetCreateProcessNotifyRoutine succeded");
122 |
123 | if(HookSyscalls() == FALSE)
124 | {
125 | hv::unhook_all_functions();
126 | PsRemoveCreateThreadNotifyRoutine(ThreadNotifyRoutine);
127 | PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutine, TRUE);
128 | Hider::Uninitialize();
129 | return STATUS_UNSUCCESSFUL;
130 | }
131 |
132 | LogInfo("Syscalls Hooked");
133 |
134 | RtlInitUnicodeString(&DriverName, L"\\Device\\HyperHideDrv");
135 | RtlInitUnicodeString(&DosDeviceName, L"\\DosDevices\\HyperHideDrv");
136 |
137 | IoCreateDevice(Driver, 0, &DriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &DeviceObject);
138 |
139 | Driver->MajorFunction[IRP_MJ_CLOSE] = DrvClose;
140 | Driver->MajorFunction[IRP_MJ_CREATE] = DrvCreate;
141 | Driver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvIOCTLDispatcher;
142 |
143 | Driver->DriverUnload = DrvUnload;
144 | Driver->Flags |= DO_BUFFERED_IO;
145 |
146 | IoCreateSymbolicLink(&DosDeviceName, &DriverName);
147 |
148 | LogInfo("Driver initialized");
149 |
150 | return STATUS_SUCCESS;
151 | }
--------------------------------------------------------------------------------
/HyperHideDrv/GlobalData.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define KUSER_SHARED_DATA_USERMODE 0x7FFE0000
3 | #define KUSER_SHARED_DATA_KERNELMODE 0xFFFFF78000000000
4 | #define DRIVER_TAG 'dHyH'
5 | #define WINDOWS_7 7600
6 | #define WINDOWS_7_SP1 7601
7 | #define WINDOWS_8 9200
8 | #define WINDOWS_8_1 9600
9 | #define WINDOWS_10_VERSION_THRESHOLD1 10240
10 | #define WINDOWS_10_VERSION_THRESHOLD2 10586
11 | #define WINDOWS_10_VERSION_REDSTONE1 14393
12 | #define WINDOWS_10_VERSION_REDSTONE2 15063
13 | #define WINDOWS_10_VERSION_REDSTONE3 16299
14 | #define WINDOWS_10_VERSION_REDSTONE4 17134
15 | #define WINDOWS_10_VERSION_REDSTONE5 17763
16 | #define WINDOWS_10_VERSION_19H1 18362
17 | #define WINDOWS_10_VERSION_19H2 18363
18 | #define WINDOWS_10_VERSION_20H1 19041
19 | #define WINDOWS_10_VERSION_20H2 19042
20 | #define WINDOWS_10_VERSION_21H1 19043
21 | #define WINDOWS_10_VERSION_21H2 19044
22 | #define WINDOWS_10_VERSION_22H2 19045
23 | #define WINDOWS_11 22000
24 |
25 |
26 | typedef struct _HYPER_HIDE_GLOBAL_DATA
27 | {
28 | ULONG CurrentWindowsBuildNumber;
29 | ULONG NumberOfActiveDebuggers;
30 | }HYPER_HIDE_GLOBAL_DATA,*PHYPER_HIDE_GLOBAL_DATA;
--------------------------------------------------------------------------------
/HyperHideDrv/Heap.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201 4100 4101 4244 4333 4245 4366)
2 | #include
3 | #include "Ntapi.h"
4 | #include "Log.h"
5 | #include "Heap.h"
6 | #include "Peb.h"
7 |
8 | #define HEAP_SKIP_VALIDATION_CHECKS 0x10000000
9 | #define HEAP_VALIDATE_PARAMETERS_ENABLED 0x40000000
10 |
11 | BOOLEAN ClearHeapFlags(PEPROCESS TargetProcess)
12 | {
13 | PPEB Peb = (PPEB)PsGetProcessPeb(TargetProcess);
14 | PPEB32 Peb32 = (PPEB32)PsGetProcessWow64Process(TargetProcess);
15 |
16 | // https://ctf-wiki.github.io/ctf-wiki/reverse/windows/anti-debug/heap-flags/
17 | // In all versions of Windows, the value of the Flags
18 | // field is normally set to HEAP_GROWABLE(2),
19 | // and the ForceFlags field is normally set to 0
20 |
21 | // 32-bit process.Both of these default values depend on the[subsystem] of its host process
22 | if (Peb32 != NULL)
23 | {
24 | KAPC_STATE State;
25 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
26 |
27 | __try
28 | {
29 | for (size_t i = 0; i < Peb32->NumberOfHeaps; i++)
30 | {
31 | ULONG Heap = *(ULONG*)(Peb32->ProcessHeaps + 4 * i);
32 |
33 | // Heap Flags
34 | *(ULONG*)(Heap + 0x40) &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_SKIP_VALIDATION_CHECKS | HEAP_VALIDATE_PARAMETERS_ENABLED);
35 |
36 | // Heap Force Flags
37 | *(ULONG*)(Heap + 0x44) &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_VALIDATE_PARAMETERS_ENABLED);
38 | }
39 | }
40 | __except (EXCEPTION_EXECUTE_HANDLER)
41 | {
42 | LogError("Access violation");
43 | KeUnstackDetachProcess(&State);
44 | return FALSE;
45 | }
46 |
47 | KeUnstackDetachProcess(&State);
48 | }
49 |
50 | if (Peb != NULL)
51 | {
52 | KAPC_STATE State;
53 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
54 |
55 | __try
56 | {
57 | for (size_t i = 0; i < Peb->NumberOfHeaps; i++)
58 | {
59 | PHEAP Heap = (PHEAP)Peb->ProcessHeaps[i];
60 | Heap->Flags &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_SKIP_VALIDATION_CHECKS | HEAP_VALIDATE_PARAMETERS_ENABLED);
61 | Heap->ForceFlags &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_VALIDATE_PARAMETERS_ENABLED);
62 | }
63 | }
64 | __except (EXCEPTION_EXECUTE_HANDLER)
65 | {
66 | LogError("Access violation");
67 | KeUnstackDetachProcess(&State);
68 | return FALSE;
69 | }
70 |
71 | KeUnstackDetachProcess(&State);
72 | }
73 | else
74 | {
75 | LogError("Both Peb and Peb32 doesn't exist");
76 | return FALSE;
77 | }
78 |
79 | return TRUE;
80 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Hider.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "Pte.h"
3 |
4 | enum HIDE_TYPE
5 | {
6 | HIDE_NT_QUERY_INFORMATION_PROCESS,
7 | HIDE_NT_QUERY_SYSTEM_INFORMATION,
8 | HIDE_NT_QUERY_INFORMATION_THREAD,
9 | HIDE_NT_QUERY_INFORMATION_JOB_OBJECT,
10 | HIDE_NT_QUERY_OBJECT,
11 | HIDE_NT_QUERY_SYSTEM_TIME,
12 | HIDE_NT_QUERY_PERFORMANCE_COUNTER,
13 | HIDE_NT_CREATE_USER_PROCESS,
14 | HIDE_NT_CREATE_PROCESS_EX,
15 | HIDE_NT_CREATE_THREAD_EX,
16 | HIDE_NT_SET_CONTEXT_THREAD,
17 | HIDE_NT_GET_CONTEXT_THREAD,
18 | HIDE_NT_OPEN_PROCESS,
19 | HIDE_NT_OPEN_THREAD,
20 | HIDE_NT_SET_INFORMATION_THREAD,
21 | HIDE_NT_SYSTEM_DEBUG_CONTROL,
22 | HIDE_NT_GET_NEXT_PROCESS,
23 | HIDE_NT_YIELD_EXECUTION,
24 | HIDE_NT_CREATE_FILE,
25 | HIDE_NT_CONTINUE,
26 | HIDE_NT_CLOSE,
27 | HIDE_NT_USER_BUILD_HWND_LIST,
28 | HIDE_NT_USER_FIND_WINDOW_EX,
29 | HIDE_NT_USER_QUERY_WINDOW,
30 | HIDE_NT_USER_GET_FOREGROUND_WINDOW,
31 | HIDE_KUSER_SHARED_DATA,
32 | HIDE_KI_EXCEPTION_DISPATCH,
33 | HIDE_NT_SET_INFORMATION_PROCESS,
34 | HIDE_LAST
35 | };
36 |
37 | typedef struct _HIDE_INFO
38 | {
39 | ULONG Pid;
40 | BOOLEAN HookNtQueryInformationProcess;
41 | BOOLEAN HookNtQuerySystemInformation;
42 | BOOLEAN HookNtQueryInformationThread;
43 | BOOLEAN HookNtQueryInformationJobObject;
44 | BOOLEAN HookNtQueryObject;
45 | BOOLEAN HookNtQuerySystemTime;
46 | BOOLEAN HookNtQueryPerformanceCounter;
47 | BOOLEAN HookNtCreateUserProcess;
48 | BOOLEAN HookNtCreateProcessEx;
49 | BOOLEAN HookNtCreateThreadEx;
50 | BOOLEAN HookNtSetContextThread;
51 | BOOLEAN HookNtGetContextThread;
52 | BOOLEAN HookNtOpenProcess;
53 | BOOLEAN HookNtOpenThread;
54 | BOOLEAN HookNtSetInformationThread;
55 | BOOLEAN HookNtSystemDebugControl;
56 | BOOLEAN HookNtGetNextProcess;
57 | BOOLEAN HookNtYieldExecution;
58 | BOOLEAN HookNtCreateFile;
59 | BOOLEAN HookNtContinue;
60 | BOOLEAN HookNtClose;
61 | BOOLEAN HookNtUserBuildHwndList;
62 | BOOLEAN HookNtUserFindWindowEx;
63 | BOOLEAN HookNtUserQueryWindow;
64 | BOOLEAN HookNtUserGetForegroundWindow;
65 | BOOLEAN HookKuserSharedData;
66 | BOOLEAN HookKiDispatchException;
67 | BOOLEAN HookNtSetInformationProcess;
68 | BOOLEAN ClearPebBeingDebugged;
69 | BOOLEAN ClearPebNtGlobalFlag;
70 | BOOLEAN ClearHeapFlags;
71 | BOOLEAN ClearKuserSharedData;
72 | BOOLEAN ClearHideFromDebuggerFlag;
73 | BOOLEAN ClearBypassProcessFreeze;
74 | BOOLEAN ClearProcessBreakOnTerminationFlag;
75 | BOOLEAN ClearThreadBreakOnTerminationFlag;
76 | BOOLEAN SaveProcessDebugFlags;
77 | BOOLEAN SaveProcessHandleTracing;
78 | }HIDE_INFO, * PHIDE_INFO;
79 |
80 | namespace Hider
81 | {
82 | extern BOOLEAN StopCounterThread;
83 | extern LIST_ENTRY HiddenProcessesHead;
84 | extern KGUARDED_MUTEX HiderMutex;
85 |
86 | typedef struct _DEBUG_CONTEXT
87 | {
88 | ULONG64 DR0;
89 | ULONG64 DR1;
90 | ULONG64 DR2;
91 | ULONG64 DR3;
92 | ULONG64 DR6;
93 | ULONG64 DR7;
94 |
95 | ULONG64 DebugControl;
96 | ULONG64 LastBranchFromRip;
97 | ULONG64 LastBranchToRip;
98 | ULONG64 LastExceptionFromRip;
99 | ULONG64 LastExceptionToRip;
100 | }DEBUG_CONTEXT,* PDEBUG_CONTEXT;
101 |
102 | typedef struct _WOW64_DEBUG_CONTEXT
103 | {
104 | ULONG DR0;
105 | ULONG DR1;
106 | ULONG DR2;
107 | ULONG DR3;
108 | ULONG DR6;
109 | ULONG DR7;
110 | }WOW64_DEBUG_CONTEXT,*PWOW64_DEBUG_CONTEXT;
111 |
112 | typedef struct _KUSD
113 | {
114 | // Pointer to new KuserSharedData
115 | PKUSER_SHARED_DATA KuserSharedData;
116 |
117 | // Pte of virtual page number 7FFE0
118 | PTE* PteKuserSharedData;
119 |
120 | // Page frame number of original KuserSharedData
121 | ULONG OriginalKuserSharedDataPfn;
122 |
123 | // Begin
124 | ULONG64 BeginInterruptTime;
125 | ULONG64 BeginSystemTime;
126 | ULONG BeginLastSystemRITEventTickCount;
127 | ULONG64 BeginTickCount;
128 | ULONG64 BeginTimeUpdateLock;
129 | ULONG64 BeginBaselineSystemQpc;
130 |
131 | // Delta
132 | ULONG64 DeltaInterruptTime;
133 | ULONG64 DeltaSystemTime;
134 | ULONG DeltaLastSystemRITEventTickCount;
135 | ULONG64 DeltaTickCount;
136 | ULONG64 DeltaTimeUpdateLock;
137 | ULONG64 DeltaBaselineSystemQpc;
138 | }KUSD, * PKUSD;
139 |
140 | typedef struct _HIDDEN_THREAD
141 | {
142 | LIST_ENTRY HiddenThreadList;
143 | PETHREAD ThreadObject;
144 | WOW64_DEBUG_CONTEXT FakeWow64DebugContext;
145 | DEBUG_CONTEXT FakeDebugContext;
146 | BOOLEAN IsThreadHidden;
147 | BOOLEAN BreakOnTermination;
148 | }HIDDEN_THREAD, * PHIDDEN_THREAD;
149 |
150 | typedef struct _HIDDEN_PROCESS
151 | {
152 | LIST_ENTRY HiddenProcessesList;
153 |
154 | HIDDEN_THREAD HiddenThreads;
155 |
156 | PEPROCESS DebuggerProcess;
157 | PEPROCESS DebuggedProcess;
158 |
159 | LARGE_INTEGER FakePerformanceCounter;
160 | LARGE_INTEGER FakeSystemTime;
161 |
162 | BOOLEAN HideTypes[HIDE_LAST];
163 |
164 | BOOLEAN ProcessPaused;
165 |
166 | BOOLEAN PebBeingDebuggedCleared;
167 | BOOLEAN HeapFlagsCleared;
168 | BOOLEAN PebNtGlobalFlagCleared;
169 | BOOLEAN KUserSharedDataCleared;
170 | BOOLEAN HideFromDebuggerFlagCleared;
171 | BOOLEAN BypassProcessFreezeFlagCleared;
172 | BOOLEAN ProcessHandleTracingEnabled;
173 | BOOLEAN ProcessBreakOnTerminationCleared;
174 | BOOLEAN ThreadBreakOnTerminationCleared;
175 |
176 | BOOLEAN ProcessDebugFlagsSaved;
177 | BOOLEAN ProcessHandleTracingSaved;
178 |
179 | BOOLEAN ValueProcessBreakOnTermination;
180 | BOOLEAN ValueProcessDebugFlags;
181 |
182 | KUSD Kusd;
183 | }HIDDEN_PROCESS, * PHIDDEN_PROCESS;
184 |
185 | PHIDDEN_PROCESS QueryHiddenProcess(PEPROCESS DebuggedProcess);
186 |
187 | PHIDDEN_THREAD AppendThreadList(PEPROCESS InterceptedProcess, PETHREAD ThreadObject);
188 |
189 | BOOLEAN CreateEntry(PEPROCESS DebuggerProcess, PEPROCESS DebuggedProcess);
190 |
191 | BOOLEAN RemoveEntry(PEPROCESS DebuggerProcess);
192 |
193 | BOOLEAN IsHidden(PEPROCESS Process, HIDE_TYPE HideType);
194 |
195 | BOOLEAN Hide(PHIDE_INFO HideInfo);
196 |
197 | BOOLEAN IsDriverHandleHidden(PUNICODE_STRING SymLink);
198 |
199 | BOOLEAN Initialize();
200 |
201 | BOOLEAN StopCounterForProcess(PEPROCESS DebuggedProcess);
202 |
203 | BOOLEAN ResumeCounterForProcess(PEPROCESS DebuggedProcess);
204 |
205 | BOOLEAN IsDebuggerProcess(PEPROCESS DebuggerProcess);
206 |
207 | BOOLEAN IsProcessNameBad(PUNICODE_STRING ProcessName);
208 |
209 | BOOLEAN IsProcessWindowBad(PUNICODE_STRING WindowName);
210 |
211 | BOOLEAN IsProcessWindowClassBad(PUNICODE_STRING WindowClassName);
212 |
213 | VOID DeleteThreadList(PHIDDEN_PROCESS HiddenProcess);
214 |
215 | VOID TruncateThreadList(PEPROCESS InterceptedProcess, PETHREAD ThreadObject);
216 |
217 | VOID Uninitialize();
218 | }
--------------------------------------------------------------------------------
/HyperHideDrv/HookHelper.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning(disable : 4267 4201)
2 |
3 | #include
4 | #include "Utils.h"
5 | #include "HookHelper.h"
6 | #include "GlobalData.h"
7 | #include "HypervisorGateway.h"
8 | #include "Log.h"
9 | #include
10 |
11 | extern HYPER_HIDE_GLOBAL_DATA g_HyperHide;
12 |
13 | extern HANDLE(NTAPI* OriginalNtUserQueryWindow)(HANDLE hWnd, WINDOWINFOCLASS WindowInfo);
14 |
15 | VOID FilterProcesses(PSYSTEM_PROCESS_INFO ProcessInfo)
16 | {
17 | //
18 | // First process is always system so there won't be a case when forbidden process is first
19 | //
20 | PSYSTEM_PROCESS_INFO PrevProcessInfo = NULL;
21 |
22 | while (PrevProcessInfo != ProcessInfo)
23 | {
24 | ULONG Offset = ProcessInfo->NextEntryOffset;
25 |
26 | if (Hider::IsProcessNameBad(&ProcessInfo->ImageName) == TRUE)
27 | {
28 | if (ProcessInfo->NextEntryOffset == NULL)
29 | PrevProcessInfo->NextEntryOffset = NULL;
30 |
31 | else
32 | PrevProcessInfo->NextEntryOffset += ProcessInfo->NextEntryOffset;
33 |
34 | RtlSecureZeroMemory(ProcessInfo, sizeof(SYSTEM_PROCESS_INFO) + ProcessInfo->NumberOfThreads * sizeof(SYSTEM_THREAD_INFORMATION) - sizeof(SYSTEM_THREAD_INFORMATION));
35 | }
36 |
37 | else
38 | {
39 | PrevProcessInfo = ProcessInfo;
40 | }
41 |
42 | ProcessInfo = (PSYSTEM_PROCESS_INFO)((UCHAR*)ProcessInfo + Offset);
43 | }
44 | }
45 |
46 | BOOLEAN IsWindowBad(HANDLE hWnd)
47 | {
48 | PEPROCESS WindProcess = PidToProcess(OriginalNtUserQueryWindow(hWnd, WindowProcess));
49 | if (WindProcess == IoGetCurrentProcess())
50 | return FALSE;
51 |
52 | UNICODE_STRING WindowProcessName = PsQueryFullProcessImageName(WindProcess);
53 |
54 | return Hider::IsProcessNameBad(&WindowProcessName);
55 | }
56 |
57 | SHORT GetSyscallNumber(PVOID FunctionAddress)
58 | {
59 | return *(SHORT*)((ULONG64)FunctionAddress + 4);
60 | }
61 |
62 | BOOLEAN GetNtSyscallNumbers(std::array& SyscallsToFind)
63 | {
64 | UNICODE_STRING knownDlls{};
65 | RtlInitUnicodeString(&knownDlls, LR"(\KnownDlls\ntdll.dll)");
66 |
67 | OBJECT_ATTRIBUTES objAttributes{};
68 | InitializeObjectAttributes(&objAttributes, &knownDlls, OBJ_CASE_INSENSITIVE, nullptr, nullptr);
69 |
70 | HANDLE section{};
71 | if (!NT_SUCCESS(ZwOpenSection(§ion, SECTION_MAP_READ, &objAttributes)))
72 | return false;
73 |
74 | PVOID ntdllBase{};
75 | size_t ntdllSize{};
76 | LARGE_INTEGER sectionOffset{};
77 | if (!NT_SUCCESS(ZwMapViewOfSection(section, ZwCurrentProcess(), &ntdllBase, 0, 0, §ionOffset, &ntdllSize, ViewShare, 0, PAGE_READONLY)))
78 | {
79 | ZwClose(section);
80 | return false;
81 | }
82 |
83 | auto status = true;
84 | for (auto& syscallInfo : SyscallsToFind)
85 | {
86 | if (syscallInfo.SyscallName == "NtQuerySystemTime")
87 | {
88 | const auto functionAddress = GetExportedFunctionAddress(0, ntdllBase, "NtAccessCheckByTypeAndAuditAlarm");
89 | if (!functionAddress)
90 | {
91 | status = false;
92 | break;
93 | }
94 |
95 | syscallInfo.SyscallNumber = GetSyscallNumber(functionAddress) + 1;
96 | }
97 | else
98 | {
99 | const auto functionAddress = GetExportedFunctionAddress(0, ntdllBase, syscallInfo.SyscallName.data());
100 | if (!functionAddress)
101 | {
102 | status = false;
103 | break;
104 | }
105 |
106 | syscallInfo.SyscallNumber = GetSyscallNumber(functionAddress);
107 | }
108 |
109 | LogDebug("Syscall %s is equal: 0x%X", syscallInfo.SyscallName.data(), syscallInfo.SyscallNumber);
110 | }
111 |
112 | ZwClose(section);
113 | ZwUnmapViewOfSection(ZwCurrentProcess(), ntdllBase);
114 |
115 | return status;
116 | }
117 |
118 | VOID GetWin32kSyscallNumbersPreRedstone(std::array& SyscallsToFind)
119 | {
120 | SyscallsToFind[0].SyscallName = "NtUserBuildHwndList";
121 | SyscallsToFind[1].SyscallName = "NtUserFindWindowEx";
122 | SyscallsToFind[2].SyscallName = "NtUserQueryWindow";
123 | SyscallsToFind[3].SyscallName = "NtUserGetForegroundWindow";
124 | SyscallsToFind[4].SyscallName = "NtUserGetThreadState";
125 |
126 | if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_THRESHOLD2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_THRESHOLD1)
127 | {
128 | SyscallsToFind[0].SyscallNumber = 0x70;
129 | SyscallsToFind[1].SyscallNumber = 0x1f;
130 | SyscallsToFind[2].SyscallNumber = 0x13;
131 | SyscallsToFind[3].SyscallNumber = 0x3f;
132 | SyscallsToFind[4].SyscallNumber = 0x3;
133 | }
134 | else if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_8_1)
135 | {
136 | SyscallsToFind[0].SyscallNumber = 0x6f;
137 | SyscallsToFind[1].SyscallNumber = 0x1e;
138 | SyscallsToFind[2].SyscallNumber = 0x12;
139 | SyscallsToFind[3].SyscallNumber = 0x3e;
140 | SyscallsToFind[4].SyscallNumber = 0x2;
141 | }
142 | else if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_8)
143 | {
144 | SyscallsToFind[0].SyscallNumber = 0x6e;
145 | SyscallsToFind[1].SyscallNumber = 0x1d;
146 | SyscallsToFind[2].SyscallNumber = 0x11;
147 | SyscallsToFind[3].SyscallNumber = 0x3d;
148 | SyscallsToFind[4].SyscallNumber = 0x1;
149 | }
150 | else if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_7_SP1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_7)
151 | {
152 | SyscallsToFind[0].SyscallNumber = 0x6e;
153 | SyscallsToFind[1].SyscallNumber = 0x1c;
154 | SyscallsToFind[2].SyscallNumber = 0x10;
155 | SyscallsToFind[3].SyscallNumber = 0x3c;
156 | SyscallsToFind[4].SyscallNumber = 0x0;
157 | }
158 | }
159 |
160 | BOOLEAN GetWin32kSyscallNumbers(std::array& SyscallsToFind)
161 | {
162 | if (g_HyperHide.CurrentWindowsBuildNumber >= WINDOWS_10_VERSION_REDSTONE1)
163 | {
164 | UNICODE_STRING knownDlls{};
165 | RtlInitUnicodeString(&knownDlls, LR"(\KnownDlls\win32u.dll)");
166 |
167 | OBJECT_ATTRIBUTES objAttributes{};
168 | InitializeObjectAttributes(&objAttributes, &knownDlls, OBJ_CASE_INSENSITIVE, nullptr, nullptr);
169 |
170 | HANDLE section{};
171 | if (!NT_SUCCESS(ZwOpenSection(§ion, SECTION_MAP_READ, &objAttributes)))
172 | return false;
173 |
174 | PVOID win32uBase{};
175 | size_t win32uSize{};
176 | LARGE_INTEGER sectionOffset{};
177 | if (!NT_SUCCESS(ZwMapViewOfSection(section, ZwCurrentProcess(), &win32uBase, 0, 0, §ionOffset, &win32uSize, ViewShare, 0, PAGE_READONLY)))
178 | {
179 | ZwClose(section);
180 | return false;
181 | }
182 |
183 | auto status = true;
184 | for (auto& syscallInfo : SyscallsToFind)
185 | {
186 | const auto functionAddress = GetExportedFunctionAddress(0, win32uBase, syscallInfo.SyscallName.data());
187 | if (!functionAddress)
188 | {
189 | status = false;
190 | break;
191 | }
192 |
193 | syscallInfo.SyscallNumber = GetSyscallNumber(functionAddress) - 0x1000;
194 | LogDebug("Syscall %s is equal: 0x%X", syscallInfo.SyscallName.data(), syscallInfo.SyscallNumber);
195 | }
196 |
197 | ZwClose(section);
198 | ZwUnmapViewOfSection(ZwCurrentProcess(), win32uBase);
199 |
200 | return status;
201 | }
202 | else
203 | {
204 | GetWin32kSyscallNumbersPreRedstone(SyscallsToFind);
205 | return true;
206 | }
207 | }
--------------------------------------------------------------------------------
/HyperHideDrv/HookHelper.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 |
6 | struct SyscallInfo
7 | {
8 | SHORT SyscallNumber;
9 | std::string_view SyscallName;
10 | PVOID HookFunctionAddress;
11 | PVOID* OriginalFunctionAddress;
12 | };
13 |
14 | BOOLEAN GetNtSyscallNumbers(std::array& SyscallsToFind);
15 |
16 | BOOLEAN GetWin32kSyscallNumbers(std::array& SyscallsToFind);
17 |
18 | BOOLEAN IsWindowBad(HANDLE hWnd);
19 |
20 | VOID FilterProcesses(PSYSTEM_PROCESS_INFO ProcessInfo);
--------------------------------------------------------------------------------
/HyperHideDrv/HookedFunctions.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | #define ObjectTypesInformation 3
5 | #define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x40
6 | #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x4
7 | #define PROCESS_DEBUG_INHERIT 0x00000001 // default for a non-debugged process
8 | #define PROCESS_NO_DEBUG_INHERIT 0x00000002 // default for a debugged process
9 | #define PROCESS_QUERY_INFORMATION 0x0400
10 | #define INVALID_HANDLE_VALUE ((HANDLE)(LONG_PTR)-1)
11 |
12 | #define BACKUP_RETURNLENGTH() \
13 | ULONG TempReturnLength = 0; \
14 | if(ARGUMENT_PRESENT(ReturnLength)) \
15 | TempReturnLength = *ReturnLength
16 |
17 | #define RESTORE_RETURNLENGTH() \
18 | if(ARGUMENT_PRESENT(ReturnLength)) \
19 | (*ReturnLength) = TempReturnLength
20 |
21 | BOOLEAN HookSyscalls();
--------------------------------------------------------------------------------
/HyperHideDrv/HyperHideDrv.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | x64
7 |
8 |
9 | Release
10 | x64
11 |
12 |
13 |
14 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}
15 | {1bc93793-694f-48fe-9372-81e2b05556fd}
16 | v4.5
17 | 12.0
18 | Debug
19 | Win32
20 | HyperHideDrv
21 | 10.0.19041.0
22 |
23 |
24 |
25 | Windows7
26 | true
27 | WindowsKernelModeDriver10.0
28 | Driver
29 | KMDF
30 | Desktop
31 | Spectre
32 |
33 |
34 | Windows7
35 | false
36 | WindowsKernelModeDriver10.0
37 | Driver
38 | KMDF
39 | Desktop
40 | Spectre
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 | DbgengKernelDebugger
53 | $(VC_IncludePath);$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH)
54 |
55 |
56 | DbgengKernelDebugger
57 | $(VC_IncludePath);$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH)
58 |
59 |
60 |
61 | %(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfLdr.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfDriverEntry.lib
62 |
63 |
64 | MaxSpeed
65 | Speed
66 | false
67 | true
68 | stdcpp20
69 | 4603;4627;4986;4987;%(DisableSpecificWarnings)
70 | AnySuitable
71 | true
72 |
73 |
74 |
75 |
76 | %(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfLdr.lib;$(KMDF_LIB_PATH)$(KMDF_VER_PATH)\WdfDriverEntry.lib
77 | /INTEGRITYCHECK %(AdditionalOptions)
78 |
79 |
80 | false
81 | stdcpp20
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
--------------------------------------------------------------------------------
/HyperHideDrv/HyperHideDrv.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
6 | h;hpp;hxx;hm;inl;inc;xsd
7 |
8 |
9 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
10 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
11 |
12 |
13 | {8E41214B-6785-4CFE-B992-037D68949A14}
14 | inf;inv;inx;mof;mc;
15 |
16 |
17 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
18 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
19 |
20 |
21 |
22 |
23 | Source Files
24 |
25 |
26 | Source Files
27 |
28 |
29 | Source Files
30 |
31 |
32 | Source Files
33 |
34 |
35 | Source Files
36 |
37 |
38 | Source Files
39 |
40 |
41 | Source Files
42 |
43 |
44 | Source Files
45 |
46 |
47 | Source Files
48 |
49 |
50 | Source Files
51 |
52 |
53 | Source Files
54 |
55 |
56 | Source Files
57 |
58 |
59 | Source Files
60 |
61 |
62 |
63 |
64 | Header Files
65 |
66 |
67 | Header Files
68 |
69 |
70 | Header Files
71 |
72 |
73 | Header Files
74 |
75 |
76 | Header Files
77 |
78 |
79 | Header Files
80 |
81 |
82 | Header Files
83 |
84 |
85 | Header Files
86 |
87 |
88 | Header Files
89 |
90 |
91 | Header Files
92 |
93 |
94 | Header Files
95 |
96 |
97 | Header Files
98 |
99 |
100 | Header Files
101 |
102 |
103 | Header Files
104 |
105 |
106 | Header Files
107 |
108 |
109 | Header Files
110 |
111 |
112 | Header Files
113 |
114 |
115 | Header Files
116 |
117 |
118 | Header Files
119 |
120 |
121 |
122 |
123 | Source Files
124 |
125 |
126 |
--------------------------------------------------------------------------------
/HyperHideDrv/HypervisorGateway.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | #include
3 | #include
4 | #include "vmintrin.h"
5 | #include "Ntapi.h"
6 | #include "Log.h"
7 |
8 | #define IOCTL_POOL_MANAGER_ALLOCATE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x900, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
9 |
10 | enum vm_call_reasons
11 | {
12 | VMCALL_TEST,
13 | VMCALL_VMXOFF,
14 | VMCALL_EPT_HOOK_FUNCTION,
15 | VMCALL_EPT_UNHOOK_FUNCTION,
16 | VMCALL_DUMP_POOL_MANAGER,
17 | VMCALL_DUMP_VMCS_STATE,
18 | VMCALL_HIDE_HV_PRESENCE,
19 | VMCALL_UNHIDE_HV_PRESENCE
20 | };
21 |
22 | enum invept_type
23 | {
24 | INVEPT_SINGLE_CONTEXT = 1,
25 | INVEPT_ALL_CONTEXTS = 2
26 | };
27 |
28 | namespace hv
29 | {
30 | void broadcast_vmoff(KDPC*, PVOID, PVOID SystemArgument1, PVOID SystemArgument2)
31 | {
32 | __vm_call(VMCALL_VMXOFF, 0, 0, 0);
33 | KeSignalCallDpcSynchronize(SystemArgument2);
34 | KeSignalCallDpcDone(SystemArgument1);
35 | }
36 |
37 | struct HookFunctionArgs
38 | {
39 | void* target_address;
40 | void* hook_function;
41 | void** origin_function;
42 | unsigned __int64 current_cr3;
43 | volatile SHORT statuses;
44 | };
45 | void broadcast_hook_function(KDPC*, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
46 | {
47 | const auto args = reinterpret_cast(DeferredContext);
48 |
49 | if (__vm_call_ex(VMCALL_EPT_HOOK_FUNCTION, (unsigned __int64)args->target_address,
50 | (unsigned __int64)args->hook_function, (unsigned __int64)args->origin_function, args->current_cr3, 0, 0, 0, 0, 0))
51 | {
52 | InterlockedIncrement16(&args->statuses);
53 | }
54 |
55 | KeSignalCallDpcSynchronize(SystemArgument2);
56 | KeSignalCallDpcDone(SystemArgument1);
57 | }
58 |
59 | struct UnHookFunctionArgs
60 | {
61 | bool unhook_all_functions;
62 | void* function_to_unhook;
63 | unsigned __int64 current_cr3;
64 | volatile SHORT statuses;
65 | };
66 | void broadcast_unhook_function(KDPC*, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
67 | {
68 | const auto args = reinterpret_cast(DeferredContext);
69 |
70 | if (__vm_call(VMCALL_EPT_UNHOOK_FUNCTION, args->unhook_all_functions,
71 | (unsigned __int64)args->function_to_unhook, args->current_cr3))
72 | {
73 | InterlockedIncrement16(&args->statuses);
74 | }
75 |
76 | KeSignalCallDpcSynchronize(SystemArgument2);
77 | KeSignalCallDpcDone(SystemArgument1);
78 | }
79 |
80 | void broadcast_test_vmcall(KDPC*, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
81 | {
82 | const auto statuses = reinterpret_cast(DeferredContext);
83 |
84 | if (__vm_call(VMCALL_TEST, 0, 0, 0))
85 | {
86 | InterlockedIncrement16(statuses);
87 | }
88 |
89 | KeSignalCallDpcSynchronize(SystemArgument2);
90 | KeSignalCallDpcDone(SystemArgument1);
91 | }
92 |
93 | ///
94 | /// Turn off virtual machine
95 | ///
96 | void vmoff()
97 | {
98 | KeGenericCallDpc(broadcast_vmoff, NULL);
99 | }
100 |
101 | ///
102 | /// Set/Unset presence of hypervisor
103 | ///
104 | /// If false, hypervisor is not visible via cpuid interface, If true, it become visible
105 | void hypervisor_visible(bool value)
106 | {
107 | if (value == true)
108 | __vm_call(VMCALL_UNHIDE_HV_PRESENCE, 0, 0, 0);
109 | else
110 | __vm_call(VMCALL_HIDE_HV_PRESENCE, 0, 0, 0);
111 | }
112 |
113 | ///
114 | /// Unhook all functions and invalidate tlb
115 | ///
116 | /// status
117 | bool unhook_all_functions()
118 | {
119 | UnHookFunctionArgs args{ true, nullptr, __readcr3(), 0 };
120 | KeGenericCallDpc(broadcast_unhook_function, &args);
121 |
122 | return static_cast(args.statuses) == KeQueryActiveProcessorCountEx(ALL_PROCESSOR_GROUPS);
123 | }
124 |
125 | ///
126 | /// Unhook single function and invalidate tlb
127 | ///
128 | ///
129 | /// status
130 | bool unhook_function(void* function_address)
131 | {
132 | UnHookFunctionArgs args{ false, function_address, __readcr3(), 0 };
133 | KeGenericCallDpc(broadcast_unhook_function, &args);
134 |
135 | return static_cast(args.statuses) == KeQueryActiveProcessorCountEx(ALL_PROCESSOR_GROUPS);
136 | }
137 |
138 | ///
139 | /// Hook function via ept and invalidates mappings
140 | ///
141 | /// Address of function which we want to hook
142 | /// Address of function which is used to call original function
143 | /// Address of function which is used to call original function
144 | /// status
145 | bool hook_function(void* target_address, void* hook_function, void** origin_function)
146 | {
147 | HookFunctionArgs args{ target_address, hook_function, origin_function, __readcr3(), 0 };
148 | KeGenericCallDpc(broadcast_hook_function, &args);
149 |
150 | return static_cast(args.statuses) == KeQueryActiveProcessorCountEx(ALL_PROCESSOR_GROUPS);
151 | }
152 |
153 | ///
154 | /// Dump info about allocated pools (Use Dbgview to see information)
155 | ///
156 | void dump_pool_manager()
157 | {
158 | __vm_call(VMCALL_DUMP_POOL_MANAGER, 0, 0, 0);
159 | }
160 |
161 | ///
162 | /// Check if we can communicate with hypervisor
163 | ///
164 | /// status
165 | bool test_vmcall()
166 | {
167 | volatile SHORT statuses{};
168 | KeGenericCallDpc(broadcast_test_vmcall, (PVOID)&statuses);
169 |
170 | return static_cast(statuses) == KeQueryActiveProcessorCountEx(ALL_PROCESSOR_GROUPS);
171 | }
172 |
173 | ///
174 | /// Send irp with information to allocate memory
175 | ///
176 | /// status
177 | bool send_irp_perform_allocation()
178 | {
179 | PDEVICE_OBJECT airhv_device_object;
180 | KEVENT event;
181 | PIRP irp;
182 | IO_STATUS_BLOCK io_status = { 0 };
183 | UNICODE_STRING airhv_name;
184 | PFILE_OBJECT file_object;
185 |
186 | RtlInitUnicodeString(&airhv_name, L"\\Device\\airhv");
187 |
188 | NTSTATUS status = IoGetDeviceObjectPointer(&airhv_name, 0, &file_object, &airhv_device_object);
189 |
190 | ObReferenceObjectByPointer(airhv_device_object, FILE_ALL_ACCESS, NULL, KernelMode);
191 |
192 | // We don't need this so we instantly dereference file object
193 | ObDereferenceObject(file_object);
194 |
195 | if (NT_SUCCESS(status) == false)
196 | {
197 | LogError("Couldn't get hypervisor device object pointer");
198 | return false;
199 | }
200 |
201 | KeInitializeEvent(&event, NotificationEvent, 0);
202 | irp = IoBuildDeviceIoControlRequest(IOCTL_POOL_MANAGER_ALLOCATE, airhv_device_object, 0, 0, 0, 0, 0, &event, &io_status);
203 |
204 | if (irp == NULL)
205 | {
206 | LogError("Couldn't create Irp");
207 | ObDereferenceObject(airhv_device_object);
208 | return false;
209 | }
210 |
211 | else
212 | {
213 | status = IofCallDriver(airhv_device_object, irp);
214 |
215 | if (status == STATUS_PENDING)
216 | KeWaitForSingleObject(&event, Executive, KernelMode, 0, 0);
217 |
218 | ObDereferenceObject(airhv_device_object);
219 | return true;
220 | }
221 | }
222 | }
--------------------------------------------------------------------------------
/HyperHideDrv/HypervisorGateway.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | namespace hv
3 | {
4 | bool hook_function(void* target_address, void* hook_function, void** origin_function);
5 |
6 | void hypervisor_visible(bool value);
7 |
8 | bool test_vmcall();
9 |
10 | bool unhook_all_functions();
11 |
12 | bool unhook_function(unsigned __int64 function_address);
13 |
14 | bool send_irp_perform_allocation();
15 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Ioctl.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | #define IOCTL_ADD_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x900, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
5 | #define IOCTL_CLEAR_PEB_DEBUGGER_FLAG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x901, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
6 | #define IOCTL_SET_PEB_DEBUGGER_FLAG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x902, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
7 | #define IOCTL_HIDE_FROM_SYSCALL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x903, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
8 | #define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x904, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
9 | #define IOCTL_REMOVE_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x905, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
10 | #define IOCTL_PROCESS_STOPPED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x906, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
11 | #define IOCTL_PROCESS_RESUMED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x907, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
12 | #define IOCTL_SET_HYPERVISOR_VISIBILITY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x908, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
--------------------------------------------------------------------------------
/HyperHideDrv/KuserSharedData.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | #include
3 | #include "Utils.h"
4 | #include "Hider.h"
5 | #include "GlobalData.h"
6 | #include "Log.h"
7 | #include "KuserSharedData.h"
8 |
9 | PKUSER_SHARED_DATA KernelKuserSharedData = (PKUSER_SHARED_DATA)(KUSER_SHARED_DATA_KERNELMODE);
10 |
11 | PMMPFN MmPfnDatabase = 0;
12 |
13 | BOOLEAN GetPfnDatabase()
14 | {
15 | ULONG64 TextSize;
16 | PVOID TextBase;
17 |
18 | if (GetSectionData("ntoskrnl.exe", ".text", TextSize, TextBase) == FALSE)
19 | return FALSE;
20 |
21 | CONST CHAR* Pattern = "\x48\x8B\x05\x00\x00\x00\x00\x48\x89\x43\x18\x48\x8D\x05";
22 | CONST CHAR* Mask = "xxx????xxxxxxx";
23 |
24 | ULONG64 MmPfnDatabaseOffsetAddress = (ULONG64)FindSignature(TextBase, TextSize, Pattern, Mask);
25 | if (MmPfnDatabaseOffsetAddress >= (ULONG64)TextBase && MmPfnDatabaseOffsetAddress <= (ULONG64)TextBase + TextSize)
26 | {
27 | MmPfnDatabase = (PMMPFN)*(ULONG64*)((MmPfnDatabaseOffsetAddress + 7) + *(LONG*)(MmPfnDatabaseOffsetAddress + 3));
28 | LogInfo("MmPfnDataBase address 0x%llx", MmPfnDatabase);
29 | return TRUE;
30 | }
31 |
32 | LogError("Couldn't get PfnDatabase address");
33 | return FALSE;
34 | }
35 | VOID HookKuserSharedData(Hider::PHIDDEN_PROCESS HiddenProcess)
36 | {
37 | KAPC_STATE State;
38 | PHYSICAL_ADDRESS PhysicalMax;
39 | PhysicalMax.QuadPart = ~0ULL;
40 |
41 | PVOID NewKuserSharedData = MmAllocateContiguousMemory(PAGE_SIZE, PhysicalMax);
42 |
43 | ULONG64 PfnNewKuserSharedData = MmGetPhysicalAddress(NewKuserSharedData).QuadPart >> PAGE_SHIFT;
44 |
45 | KeStackAttachProcess((PRKPROCESS)HiddenProcess->DebuggedProcess, &State);
46 |
47 | PMMPFN FakeKUSDMmpfn = (PMMPFN)(MmPfnDatabase + PfnNewKuserSharedData);
48 |
49 | FakeKUSDMmpfn->u4.EntireField |= 0x200000000000000;
50 |
51 | RtlCopyMemory(NewKuserSharedData, (PVOID)KUSER_SHARED_DATA_USERMODE, PAGE_SIZE);
52 |
53 | HiddenProcess->Kusd.PteKuserSharedData = (PTE*)GetPteAddress(KUSER_SHARED_DATA_USERMODE);
54 |
55 | HiddenProcess->Kusd.OriginalKuserSharedDataPfn = HiddenProcess->Kusd.PteKuserSharedData->Fields.PhysicalAddress;
56 | HiddenProcess->Kusd.PteKuserSharedData->Fields.PhysicalAddress = PfnNewKuserSharedData;
57 | HiddenProcess->Kusd.KuserSharedData = (PKUSER_SHARED_DATA)NewKuserSharedData;
58 |
59 | KeUnstackDetachProcess(&State);
60 | }
61 |
62 | VOID UnHookKuserSharedData(Hider::PHIDDEN_PROCESS HiddenProcess)
63 | {
64 | KAPC_STATE State;
65 | HiddenProcess->HideTypes[HIDE_KUSER_SHARED_DATA] = FALSE;
66 |
67 | KeStackAttachProcess((PRKPROCESS)HiddenProcess->DebuggedProcess, &State);
68 |
69 | PMMPFN FakeKUSDMmpfn = (PMMPFN)(MmPfnDatabase + HiddenProcess->Kusd.PteKuserSharedData->Fields.PhysicalAddress);
70 | FakeKUSDMmpfn->u4.EntireField &= ~0x200000000000000;
71 |
72 | MmFreeContiguousMemory(HiddenProcess->Kusd.KuserSharedData);
73 |
74 | HiddenProcess->Kusd.KuserSharedData = NULL;
75 | HiddenProcess->Kusd.PteKuserSharedData->Fields.PhysicalAddress = HiddenProcess->Kusd.OriginalKuserSharedDataPfn;
76 | KeUnstackDetachProcess(&State);
77 | }
78 |
79 | VOID CounterUpdater(PVOID Context)
80 | {
81 | UNREFERENCED_PARAMETER(Context);
82 |
83 | LARGE_INTEGER TimeToWait = { 0 };
84 | TimeToWait.QuadPart = -10000LL; // relative 1ms
85 |
86 | while (Hider::StopCounterThread == FALSE)
87 | {
88 | KeDelayExecutionThread(KernelMode, FALSE, &TimeToWait);
89 |
90 | KeAcquireGuardedMutex(&Hider::HiderMutex);
91 | PLIST_ENTRY current = Hider::HiddenProcessesHead.Flink;
92 | while (current != &Hider::HiddenProcessesHead)
93 | {
94 | Hider::PHIDDEN_PROCESS HiddenProcess = (Hider::PHIDDEN_PROCESS)CONTAINING_RECORD(current, Hider::HIDDEN_PROCESS, HiddenProcessesList);
95 | current = current->Flink;
96 |
97 | if (HiddenProcess->DebuggedProcess != NULL &&
98 | HiddenProcess->ProcessPaused == FALSE &&
99 | HiddenProcess->Kusd.KuserSharedData != NULL &&
100 | HiddenProcess->HideTypes[HIDE_KUSER_SHARED_DATA] == TRUE)
101 | {
102 |
103 | *(ULONG64*)&HiddenProcess->Kusd.KuserSharedData->InterruptTime = *(ULONG64*)&KernelKuserSharedData->InterruptTime.LowPart - HiddenProcess->Kusd.DeltaInterruptTime;
104 | HiddenProcess->Kusd.KuserSharedData->InterruptTime.High2Time = HiddenProcess->Kusd.KuserSharedData->InterruptTime.High1Time;
105 |
106 | *(ULONG64*)&HiddenProcess->Kusd.KuserSharedData->SystemTime = *(ULONG64*)&KernelKuserSharedData->SystemTime.LowPart - HiddenProcess->Kusd.DeltaSystemTime;
107 | HiddenProcess->Kusd.KuserSharedData->SystemTime.High2Time = HiddenProcess->Kusd.KuserSharedData->SystemTime.High1Time;
108 |
109 | HiddenProcess->Kusd.KuserSharedData->LastSystemRITEventTickCount = KernelKuserSharedData->LastSystemRITEventTickCount - HiddenProcess->Kusd.DeltaLastSystemRITEventTickCount;
110 |
111 | *(ULONG64*)&HiddenProcess->Kusd.KuserSharedData->TickCount = *(ULONG64*)&KernelKuserSharedData->TickCount.LowPart - HiddenProcess->Kusd.DeltaTickCount;
112 | HiddenProcess->Kusd.KuserSharedData->TickCount.High2Time = HiddenProcess->Kusd.KuserSharedData->TickCount.High1Time;
113 |
114 | HiddenProcess->Kusd.KuserSharedData->TimeUpdateLock = KernelKuserSharedData->TimeUpdateLock - HiddenProcess->Kusd.DeltaTimeUpdateLock;
115 |
116 | HiddenProcess->Kusd.KuserSharedData->BaselineSystemTimeQpc = KernelKuserSharedData->BaselineSystemTimeQpc - HiddenProcess->Kusd.DeltaBaselineSystemQpc;
117 | HiddenProcess->Kusd.KuserSharedData->BaselineInterruptTimeQpc = HiddenProcess->Kusd.KuserSharedData->BaselineSystemTimeQpc;
118 | }
119 | }
120 | KeReleaseGuardedMutex(&Hider::HiderMutex);
121 | }
122 |
123 | PsTerminateSystemThread(STATUS_SUCCESS);
124 | }
125 |
126 | VOID GetBegin(PEPROCESS DebuggedProcess)
127 | {
128 | KeAcquireGuardedMutex(&Hider::HiderMutex);
129 |
130 | PLIST_ENTRY current = Hider::HiddenProcessesHead.Flink;
131 | while (current != &Hider::HiddenProcessesHead)
132 | {
133 | Hider::PHIDDEN_PROCESS HiddenProcess = (Hider::PHIDDEN_PROCESS)CONTAINING_RECORD(current, Hider::HIDDEN_PROCESS, HiddenProcessesList);
134 | current = current->Flink;
135 |
136 | if (DebuggedProcess == HiddenProcess->DebuggedProcess &&
137 | HiddenProcess->Kusd.BeginInterruptTime == NULL)
138 | {
139 | HiddenProcess->Kusd.BeginInterruptTime = *(ULONG64*)&KernelKuserSharedData->InterruptTime;
140 | HiddenProcess->Kusd.BeginSystemTime = *(ULONG64*)&KernelKuserSharedData->SystemTime;
141 | HiddenProcess->Kusd.BeginLastSystemRITEventTickCount = KernelKuserSharedData->LastSystemRITEventTickCount;
142 | HiddenProcess->Kusd.BeginTickCount = *(ULONG64*)&KernelKuserSharedData->TickCount;
143 | HiddenProcess->Kusd.BeginTimeUpdateLock = KernelKuserSharedData->TimeUpdateLock;
144 | HiddenProcess->Kusd.BeginBaselineSystemQpc = KernelKuserSharedData->BaselineSystemTimeQpc;
145 | break;
146 | }
147 | }
148 |
149 | KeReleaseGuardedMutex(&Hider::HiderMutex);
150 | }
151 |
152 | VOID UpdateDelta(PEPROCESS DebuggedProcess)
153 | {
154 | KeAcquireGuardedMutex(&Hider::HiderMutex);
155 | PLIST_ENTRY current = Hider::HiddenProcessesHead.Flink;
156 | while (current != &Hider::HiddenProcessesHead)
157 | {
158 | Hider::PHIDDEN_PROCESS HiddenProcess = (Hider::PHIDDEN_PROCESS)CONTAINING_RECORD(current, Hider::HIDDEN_PROCESS, HiddenProcessesList);
159 | current = current->Flink;
160 |
161 | if (DebuggedProcess == HiddenProcess->DebuggedProcess &&
162 | HiddenProcess->Kusd.BeginInterruptTime != NULL)
163 | {
164 | HiddenProcess->Kusd.DeltaInterruptTime += *(ULONG64*)&KernelKuserSharedData->InterruptTime - HiddenProcess->Kusd.BeginInterruptTime;
165 | HiddenProcess->Kusd.DeltaSystemTime += *(ULONG64*)&KernelKuserSharedData->SystemTime - HiddenProcess->Kusd.BeginSystemTime;
166 | HiddenProcess->Kusd.DeltaLastSystemRITEventTickCount += KernelKuserSharedData->LastSystemRITEventTickCount - HiddenProcess->Kusd.BeginLastSystemRITEventTickCount;
167 | HiddenProcess->Kusd.DeltaTickCount += *(ULONG64*)&KernelKuserSharedData->TickCount - HiddenProcess->Kusd.BeginTickCount;
168 | HiddenProcess->Kusd.DeltaTimeUpdateLock += KernelKuserSharedData->TimeUpdateLock - HiddenProcess->Kusd.BeginTimeUpdateLock;
169 | HiddenProcess->Kusd.DeltaBaselineSystemQpc += KernelKuserSharedData->BaselineSystemTimeQpc - HiddenProcess->Kusd.BeginBaselineSystemQpc;
170 |
171 | RtlZeroMemory(&HiddenProcess->Kusd.BeginInterruptTime, sizeof(ULONG64) * 5 + 4);
172 |
173 | break;
174 | }
175 | }
176 | KeReleaseGuardedMutex(&Hider::HiderMutex);
177 | }
178 |
--------------------------------------------------------------------------------
/HyperHideDrv/KuserSharedData.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "Hider.h"
4 |
5 | typedef struct _MMPFN
6 | {
7 | union
8 | {
9 | LIST_ENTRY ListEntry; //0x0
10 | RTL_BALANCED_NODE TreeNode; //0x0
11 | struct
12 | {
13 | union
14 | {
15 | SINGLE_LIST_ENTRY NextSlistPfn; //0x0
16 | VOID* Next; //0x0
17 | ULONGLONG Flink : 36; //0x0
18 | ULONGLONG NodeFlinkHigh : 28; //0x0
19 | ULONGLONG Active; //0x0
20 | } u1; //0x0
21 | union
22 | {
23 | ULONGLONG* PteAddress; //0x8
24 | ULONGLONG PteLong; //0x8
25 | };
26 | ULONGLONG OriginalPte; //0x10
27 | };
28 | };
29 | ULONGLONG u2; //0x18
30 | union
31 | {
32 | struct
33 | {
34 | USHORT ReferenceCount; //0x20
35 | UCHAR e1; //0x22
36 | };
37 | struct
38 | {
39 | UCHAR e3; //0x23
40 | struct
41 | {
42 | USHORT ReferenceCount; //0x20
43 | } e2; //0x20
44 | };
45 | struct
46 | {
47 | ULONG EntireField; //0x20
48 | } e4; //0x20
49 | } u3; //0x20
50 | USHORT NodeBlinkLow; //0x24
51 | UCHAR Unused : 4; //0x26
52 | UCHAR Unused2 : 4; //0x26
53 | union
54 | {
55 | UCHAR ViewCount; //0x27
56 | UCHAR NodeFlinkLow; //0x27
57 | };
58 | union
59 | {
60 | ULONGLONG PteFrame : 36; //0x28
61 | ULONGLONG Channel : 2; //0x28
62 | ULONGLONG Unused1 : 1; //0x28
63 | ULONGLONG Unused2 : 1; //0x28
64 | ULONGLONG Partition : 10; //0x28
65 | ULONGLONG Spare : 2; //0x28
66 | ULONGLONG FileOnly : 1; //0x28
67 | ULONGLONG PfnExists : 1; //0x28
68 | ULONGLONG PageIdentity : 3; //0x28
69 | ULONGLONG PrototypePte : 1; //0x28
70 | ULONGLONG PageColor : 6; //0x28
71 | ULONGLONG EntireField; //0x28
72 | } u4; //0x28
73 | }MMPFN,*PMMPFN;
74 |
75 | VOID HookKuserSharedData(Hider::PHIDDEN_PROCESS HiddenProcess);
76 |
77 | VOID UnHookKuserSharedData(Hider::PHIDDEN_PROCESS HiddenProcess);
78 |
79 | VOID GetBegin(PEPROCESS DebuggedProcess);
80 |
81 | VOID UpdateDelta(PEPROCESS DebuggedProcess);
82 |
83 | VOID CounterUpdater(PVOID Context);
84 |
85 | BOOLEAN GetPfnDatabase();
--------------------------------------------------------------------------------
/HyperHideDrv/Log.cpp:
--------------------------------------------------------------------------------
1 | #define _NO_CRT_STDIO_INLINE
2 | #include
3 | #include
4 | #include
5 | #include "Log.h"
6 |
7 | void LogPrint(__log_type Type, const char* fmt, ...)
8 | {
9 | const char* LogType;
10 | LARGE_INTEGER SystemTime;
11 | LARGE_INTEGER LocalTime;
12 | TIME_FIELDS TimeFields;
13 | char TimeBuffer[20] = {};
14 | char MessageBuffer[412] = {};
15 | char OutputBuffer[512] = {};
16 | va_list Args = {};
17 |
18 | switch (Type)
19 | {
20 | case LOG_TYPE_DEBUG:
21 | {
22 | LogType = "[DEBUG]";
23 | break;
24 | }
25 | case LOG_TYPE_DUMP:
26 | {
27 | LogType = "[DUMP]";
28 | break;
29 | }
30 | case LOG_TYPE_ERROR:
31 | {
32 | LogType = "[ERROR]";
33 | break;
34 | }
35 | case LOG_TYPE_INFO:
36 | {
37 | LogType = "[INFORMATION]";
38 | break;
39 | }
40 | default:
41 | {
42 | LogType = "[UNKNOWN]";
43 | break;
44 | }
45 |
46 | }
47 |
48 | KeQuerySystemTime(&SystemTime);
49 | ExSystemTimeToLocalTime(&SystemTime, &LocalTime);
50 | RtlTimeToTimeFields(&LocalTime, &TimeFields);
51 |
52 | RtlStringCchPrintfA(
53 | TimeBuffer,
54 | sizeof(TimeBuffer),
55 | "[%02hd:%02hd:%02hd.%03hd]",
56 | TimeFields.Hour,
57 | TimeFields.Minute,
58 | TimeFields.Second,
59 | TimeFields.Milliseconds);
60 |
61 | va_start(Args, fmt);
62 | RtlStringCchVPrintfA(MessageBuffer, sizeof(MessageBuffer), fmt, Args);
63 | va_end(Args);
64 |
65 | const auto OutputFormat = "%s %s %s\r\n";
66 |
67 | RtlStringCchPrintfA(
68 | OutputBuffer,
69 | sizeof(OutputBuffer),
70 | OutputFormat,
71 | TimeBuffer,
72 | LogType,
73 | MessageBuffer);
74 |
75 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "%s", OutputBuffer);
76 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Log.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define LogError(format, ...) \
3 | LogPrint(LOG_TYPE_ERROR," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
4 | #define LogDebug(format, ...) \
5 | LogPrint(LOG_TYPE_DEBUG," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
6 | #define LogDump(format, ...) \
7 | LogPrint(LOG_TYPE_DUMP," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
8 | #define LogInfo(format, ...) \
9 | LogPrint(LOG_TYPE_INFO," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
10 |
11 | enum __log_type
12 | {
13 | LOG_TYPE_DEBUG,
14 | LOG_TYPE_ERROR,
15 | LOG_TYPE_DUMP,
16 | LOG_TYPE_INFO
17 | };
18 |
19 | void LogPrint(__log_type type, const char* fmt, ...);
--------------------------------------------------------------------------------
/HyperHideDrv/Notifiers.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | #include
3 | #include "Hider.h"
4 | #include "Utils.h"
5 | #include "Ntapi.h"
6 | #include "Log.h"
7 | #include
8 |
9 | VOID ThreadNotifyRoutine(HANDLE ProcessId, HANDLE ThreadId, BOOLEAN Create)
10 | {
11 | if (Create == FALSE)
12 | {
13 | PETHREAD CurrentThread;
14 | if (NT_SUCCESS(PsLookupThreadByThreadId(ThreadId, &CurrentThread)) == TRUE)
15 | Hider::TruncateThreadList(PidToProcess(ProcessId), CurrentThread);
16 | }
17 | }
18 |
19 | VOID ProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
20 | {
21 | UNREFERENCED_PARAMETER(ParentId);
22 |
23 | if (Create == FALSE)
24 | Hider::RemoveEntry(PidToProcess(ProcessId));
25 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Notifiers.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | VOID ThreadNotifyRoutine(HANDLE ProcessId, HANDLE ThreadId, BOOLEAN Create);
5 |
6 | VOID ProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
--------------------------------------------------------------------------------
/HyperHideDrv/Ntapi.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "Ntstructs.h"
4 |
5 | extern "C"
6 | {
7 | NTSTATUS NTAPI KeRaiseUserException(NTSTATUS Status);
8 |
9 | VOID NTAPI KeGenericCallDpc
10 | (
11 | _In_ PKDEFERRED_ROUTINE Routine,
12 | _In_ PVOID Context
13 | );
14 |
15 | VOID NTAPI KeSignalCallDpcDone
16 | (
17 | _In_ PVOID SystemArgument1
18 | );
19 |
20 | BOOLEAN NTAPI KeSignalCallDpcSynchronize
21 | (
22 | _In_ PVOID SystemArgument2
23 | );
24 |
25 | NTKERNELAPI VOID KeStackAttachProcess
26 | (
27 | _Inout_ PRKPROCESS PROCESS,
28 | _Out_ PRKAPC_STATE ApcState
29 | );
30 |
31 | NTKERNELAPI VOID KeUnstackDetachProcess
32 | (
33 | _In_ PRKAPC_STATE ApcState
34 | );
35 |
36 | NTKERNELAPI NTSTATUS NTAPI ZwQuerySystemInformation
37 | (
38 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
39 | OUT PVOID SystemInformation,
40 | IN ULONG SystemInformationLength,
41 | OUT PULONG ReturnLength OPTIONAL
42 | );
43 |
44 | NTSTATUS NTAPI MmCopyVirtualMemory
45 | (
46 | PEPROCESS SourceProcess,
47 | PVOID SourceAddress,
48 | PEPROCESS TargetProcess,
49 | PVOID TargetAddress,
50 | SIZE_T BufferSize,
51 | KPROCESSOR_MODE PreviousMode,
52 | PSIZE_T ReturnSize
53 | );
54 |
55 | NTKERNELAPI PVOID NTAPI PsGetProcessWow64Process
56 | (
57 | IN PEPROCESS Process
58 | );
59 |
60 | NTKERNELAPI PPEB NTAPI PsGetProcessPeb
61 | (
62 | IN PEPROCESS Process
63 | );
64 |
65 | NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName
66 | (
67 | PUNICODE_STRING ObjectName,
68 | ULONG Attributes,
69 | PACCESS_STATE AccessState,
70 | ACCESS_MASK DesiredAccess,
71 | POBJECT_TYPE ObjectType,
72 | KPROCESSOR_MODE AccessMode,
73 | PVOID ParseContext OPTIONAL,
74 | PVOID* Object
75 | );
76 |
77 | NTSYSAPI WCHAR* NTAPI PsGetProcessImageFileName(PEPROCESS Process);
78 |
79 | NTSYSAPI NTSTATUS NTAPI ZwQueryInformationJobObject(
80 | HANDLE JobHandle,
81 | JOBOBJECTINFOCLASS JobInformationClass,
82 | PVOID JobInformation,
83 | ULONG JobInformationLength,
84 | PULONG ReturnLength
85 | );
86 |
87 | NTSTATUS NTAPI ZwQueryInformationProcess(
88 | HANDLE ProcessHandle,
89 | PROCESSINFOCLASS ProcessInformationClass,
90 | PVOID ProcessInformation,
91 | ULONG ProcessInformationLength,
92 | PULONG ReturnLength
93 | );
94 |
95 | BOOLEAN NTAPI ObFindHandleForObject(
96 | __in PEPROCESS Process,
97 | __in_opt PVOID Object OPTIONAL,
98 | __in_opt POBJECT_TYPE ObjectType OPTIONAL,
99 | __in_opt POBJECT_HANDLE_INFORMATION HandleInformation,
100 | __out PHANDLE Handle
101 | );
102 |
103 | NTSTATUS NTAPI ZwSetInformationProcess(
104 | HANDLE ProcessHandle,
105 | PROCESSINFOCLASS ProcessInformationClass,
106 | PVOID ProcessInformation,
107 | ULONG ProcessInformationLength
108 | );
109 |
110 | BOOLEAN NTAPI PsIsProcessBeingDebugged(PEPROCESS Process);
111 |
112 | HANDLE NTAPI
113 | PsGetProcessInheritedFromUniqueProcessId(
114 | __in PEPROCESS Process
115 | );
116 |
117 | PVOID NTAPI PsGetCurrentProcessWow64Process();
118 |
119 | NTSTATUS
120 | PsGetContextThread(
121 | __in PETHREAD Thread,
122 | __inout PCONTEXT ThreadContext,
123 | __in KPROCESSOR_MODE Mode
124 | );
125 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Ntenums.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | enum _LDR_DLL_LOAD_REASON
4 | {
5 | LoadReasonStaticDependency = 0,
6 | LoadReasonStaticForwarderDependency = 1,
7 | LoadReasonDynamicForwarderDependency = 2,
8 | LoadReasonDelayloadDependency = 3,
9 | LoadReasonDynamicLoad = 4,
10 | LoadReasonAsImageLoad = 5,
11 | LoadReasonAsDataLoad = 6,
12 | LoadReasonEnclavePrimary = 7,
13 | LoadReasonEnclaveDependency = 8,
14 | LoadReasonUnknown = -1
15 | };
16 |
17 | typedef enum _PSCREATETHREADNOTIFYTYPE {
18 | PsCreateThreadNotifyNonSystem = 0,
19 | PsCreateThreadNotifySubsystems = 1
20 | } PSCREATETHREADNOTIFYTYPE;
21 |
22 | enum SYSDBG_COMMAND
23 | {
24 | SysDbgGetTriageDump = 29,
25 | SysDbgGetLiveKernelDump = 37,
26 | };
27 |
28 | enum JOBOBJECTINFOCLASS
29 | {
30 | JobObjectBasicAccountingInformation = 1,
31 | JobObjectBasicLimitInformation = 2,
32 | JobObjectBasicProcessIdList = 3,
33 | JobObjectBasicUIRestrictions = 4,
34 | JobObjectSecurityLimitInformation = 5,
35 | JobObjectEndOfJobTimeInformation = 6,
36 | JobObjectAssociateCompletionPortInformation = 7,
37 | JobObjectBasicAndIoAccountingInformation = 8,
38 | JobObjectExtendedLimitInformation = 9,
39 | JobObjectJobSetInformation = 10,
40 | JobObjectGroupInformation = 11,
41 | JobObjectNotificationLimitInformation = 12,
42 | JobObjectLimitViolationInformation = 13,
43 | JobObjectGroupInformationEx = 14,
44 | JobObjectCpuRateControlInformation = 15,
45 | JobObjectCompletionFilter = 16,
46 | JobObjectCompletionCounter = 17,
47 | JobObjectFreezeInformation = 18,
48 | JobObjectExtendedAccountingInformation = 19,
49 | JobObjectWakeInformation = 20,
50 | JobObjectBackgroundInformation = 21,
51 | JobObjectSchedulingRankBiasInformation = 22,
52 | JobObjectTimerVirtualizationInformation = 23,
53 | JobObjectCycleTimeNotification = 24,
54 | JobObjectClearEvent = 25,
55 | JobObjectReserved1Information = 18,
56 | JobObjectReserved2Information = 19,
57 | JobObjectReserved3Information = 20,
58 | JobObjectReserved4Information = 21,
59 | JobObjectReserved5Information = 22,
60 | JobObjectReserved6Information = 23,
61 | JobObjectReserved7Information = 24,
62 | JobObjectReserved8Information = 25,
63 | MaxJobObjectInfoClass = 26
64 | };
65 |
66 | typedef enum _WINDOWINFOCLASS {
67 | WindowProcess,
68 | WindowThread,
69 | WindowActiveWindow,
70 | WindowFocusWindow,
71 | WindowIsHung,
72 | WindowClientBase,
73 | WindowIsForegroundThread,
74 | } WINDOWINFOCLASS;
75 |
76 | typedef enum _THREAD_STATE_ROUTINE
77 | {
78 | THREADSTATE_GETTHREADINFO,
79 | THREADSTATE_ACTIVEWINDOW
80 | } THREAD_STATE_ROUTINE;
--------------------------------------------------------------------------------
/HyperHideDrv/Peb.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | #include
3 | #include "Ntapi.h"
4 | #include "Log.h"
5 | #include "Peb.h"
6 |
7 | BOOLEAN SetPebDeuggerFlag(PEPROCESS TargetProcess, BOOLEAN Value)
8 | {
9 | PPEB Peb = PsGetProcessPeb(TargetProcess);
10 | PPEB32 Peb32 = (PPEB32)PsGetProcessWow64Process(TargetProcess);
11 | if (Peb32 != NULL)
12 | {
13 | KAPC_STATE State;
14 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
15 | __try
16 | {
17 | Peb32->BeingDebugged = Value;
18 |
19 | Peb->BeingDebugged = Value;
20 | }
21 | __except (EXCEPTION_EXECUTE_HANDLER)
22 | {
23 | LogError("Access Violation");
24 | KeUnstackDetachProcess(&State);
25 | return FALSE;
26 | }
27 |
28 | KeUnstackDetachProcess(&State);
29 | }
30 | else if (Peb != NULL)
31 | {
32 | KAPC_STATE State;
33 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
34 | __try
35 | {
36 | Peb->BeingDebugged = Value;
37 | }
38 | __except (EXCEPTION_EXECUTE_HANDLER)
39 | {
40 | LogError("Access Violation");
41 | KeUnstackDetachProcess(&State);
42 | return FALSE;
43 | }
44 | KeUnstackDetachProcess(&State);
45 | }
46 | else
47 | {
48 | LogError("Both pebs doesn't exist");
49 | return FALSE;
50 | }
51 |
52 | return TRUE;
53 | }
54 |
55 | BOOLEAN ClearPebNtGlobalFlag(PEPROCESS TargetProcess)
56 | {
57 | PPEB Peb = PsGetProcessPeb(TargetProcess);
58 | PPEB32 Peb32 = (PPEB32)PsGetProcessWow64Process(TargetProcess);
59 | if (Peb32 != NULL)
60 | {
61 | KAPC_STATE State;
62 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
63 | __try
64 | {
65 | Peb32->NtGlobalFlag &= ~0x70;
66 |
67 | Peb->NtGlobalFlag &= ~0x70;
68 | }
69 | __except (EXCEPTION_EXECUTE_HANDLER)
70 | {
71 | LogError("Access Violation");
72 | KeUnstackDetachProcess(&State);
73 | return FALSE;
74 | }
75 |
76 | KeUnstackDetachProcess(&State);
77 | }
78 | else if (Peb != NULL)
79 | {
80 | KAPC_STATE State;
81 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
82 | __try
83 | {
84 | Peb->NtGlobalFlag &= ~0x70;
85 | }
86 | __except (EXCEPTION_EXECUTE_HANDLER)
87 | {
88 | LogError("Access Violation");
89 | KeUnstackDetachProcess(&State);
90 | return FALSE;
91 | }
92 | KeUnstackDetachProcess(&State);
93 | }
94 | else
95 | {
96 | LogError("Both pebs doesn't exist");
97 | return FALSE;
98 | }
99 |
100 | return TRUE;
101 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Pte.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | union PTE {
3 | unsigned __int64 All;
4 | struct {
5 | unsigned __int64 Read : 1; // bit 0
6 | unsigned __int64 Write : 1; // bit 1
7 | unsigned __int64 Execute : 1; // bit 2
8 | unsigned __int64 EPTMemoryType : 3; // bit 5:3 (EPT Memory type)
9 | unsigned __int64 IgnorePAT : 1; // bit 6
10 | unsigned __int64 Ignored1 : 1; // bit 7
11 | unsigned __int64 AccessedFlag : 1; // bit 8
12 | unsigned __int64 DirtyFlag : 1; // bit 9
13 | unsigned __int64 ExecuteForUserMode : 1; // bit 10
14 | unsigned __int64 Ignored2 : 1; // bit 11
15 | unsigned __int64 PhysicalAddress : 36; // bit (N-1):12 or Page-Frame-Number
16 | unsigned __int64 Reserved : 4; // bit 51:N
17 | unsigned __int64 Ignored3 : 11; // bit 62:52
18 | unsigned __int64 SuppressVE : 1; // bit 63
19 | }Fields;
20 | };
--------------------------------------------------------------------------------
/HyperHideDrv/Ssdt.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | #include
3 | #include "Utils.h"
4 | #include "Log.h"
5 | #include "HypervisorGateway.h"
6 | #include "GlobalData.h"
7 | #include "Ntapi.h"
8 | #include
9 |
10 | typedef struct _SSDT
11 | {
12 | LONG* ServiceTable;
13 | PVOID CounterTable;
14 | ULONG64 SyscallsNumber;
15 | PVOID ArgumentTable;
16 | }_SSDT, *_PSSDT;
17 |
18 | _PSSDT NtTable;
19 | _PSSDT Win32kTable;
20 |
21 | extern HYPER_HIDE_GLOBAL_DATA g_HyperHide;
22 |
23 | namespace SSDT
24 | {
25 | BOOLEAN GetSsdt()
26 | {
27 | PVOID KernelTextSectionBase = 0;
28 | ULONG64 KernelTextSectionSize = 0;
29 |
30 | if (GetSectionData("ntoskrnl.exe", ".text", KernelTextSectionSize, KernelTextSectionBase) == FALSE)
31 | return FALSE;
32 |
33 | CONST CHAR* Pattern = "\x4C\x8D\x15\x00\x00\x00\x00\x4C\x8D\x1D\x00\x00\x00\x00\xF7";
34 | CONST CHAR* Mask = "xxx????xxx????x";
35 |
36 | ULONG64 KeServiceDescriptorTableShadowAddress = (ULONG64)FindSignature(KernelTextSectionBase, KernelTextSectionSize, Pattern, Mask);
37 | if (KeServiceDescriptorTableShadowAddress == NULL)
38 | return FALSE;
39 |
40 | NtTable = (_PSSDT)((*(ULONG*)(KeServiceDescriptorTableShadowAddress + 10)) + KeServiceDescriptorTableShadowAddress + 14);
41 | Win32kTable = NtTable + 1;
42 |
43 | return TRUE;
44 | }
45 |
46 | PVOID GetWin32KFunctionAddress(CONST CHAR* SyscallName, SHORT SyscallIndex)
47 | {
48 | KAPC_STATE State;
49 | PVOID AddressOfTargetFunction = 0;
50 |
51 | PEPROCESS CsrssProcess = GetCsrssProcess();
52 | KeStackAttachProcess((PRKPROCESS)CsrssProcess, &State);
53 |
54 | if (g_HyperHide.CurrentWindowsBuildNumber > WINDOWS_8_1)
55 | {
56 | ULONG64 ImageSize;
57 | PVOID ImageBaseAddress;
58 |
59 | if (GetProcessInfo("win32kfull.sys", ImageSize, ImageBaseAddress) == TRUE)
60 | AddressOfTargetFunction = GetExportedFunctionAddress(NULL, ImageBaseAddress, SyscallName);
61 | }
62 | else
63 | {
64 | AddressOfTargetFunction = (PVOID)((ULONG64)Win32kTable->ServiceTable + (Win32kTable->ServiceTable[SyscallIndex] >> 4));
65 | }
66 |
67 | KeUnstackDetachProcess(&State);
68 |
69 | return AddressOfTargetFunction;
70 | }
71 |
72 | // You can get SyscallIndex on https://j00ru.vexillium.org/syscalls/nt/64/ for 64 bit system nt syscalls
73 | // And https://j00ru.vexillium.org/syscalls/win32k/64/ for 64 bit system win32k syscalls
74 | BOOLEAN HookNtSyscall(ULONG SyscallIndex, PVOID NewFunctionAddress, PVOID* OriginFunction)
75 | {
76 | if (SyscallIndex > NtTable->SyscallsNumber)
77 | {
78 | LogError("There is no such syscall");
79 | return FALSE;
80 | }
81 |
82 | static UCHAR KernelAlignIndex = 0;
83 |
84 | PVOID AddressOfTargetFunction = (PVOID)((ULONG64)NtTable->ServiceTable + (NtTable->ServiceTable[SyscallIndex] >> 4));
85 | return hv::hook_function(AddressOfTargetFunction, NewFunctionAddress, OriginFunction);
86 | }
87 |
88 | BOOLEAN HookWin32kSyscall(CHAR* SyscallName, SHORT SyscallIndex, PVOID NewFunctionAddress, PVOID* OriginFunction)
89 | {
90 | KAPC_STATE State;
91 |
92 | PVOID AddressOfTargetFunction = GetWin32KFunctionAddress(SyscallName, SyscallIndex);
93 | if (AddressOfTargetFunction == NULL)
94 | return FALSE;
95 |
96 | static UCHAR Win32kAlignIndex = 0;
97 |
98 | PEPROCESS CsrssProcess = GetCsrssProcess();
99 | KeStackAttachProcess((PRKPROCESS)CsrssProcess, &State);
100 |
101 | BOOLEAN Status = hv::hook_function(AddressOfTargetFunction, NewFunctionAddress, OriginFunction);
102 |
103 | KeUnstackDetachProcess(&State);
104 |
105 | return Status;
106 | }
107 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Ssdt.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | namespace SSDT
5 | {
6 | BOOLEAN HookWin32kSyscall(CHAR* SyscallName, SHORT SyscallIndex, PVOID NewFunctionAddress, PVOID* OriginFunction);
7 |
8 | BOOLEAN HookNtSyscall(ULONG SyscallIndex, PVOID NewFunctionAddress, PVOID* OriginFunction);
9 |
10 | BOOLEAN GetSsdt();
11 |
12 | PVOID GetWin32KFunctionAddress(CONST CHAR* SyscallName, SHORT SyscallIndex);
13 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Utils.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "Ntstructs.h"
4 | #include "Hider.h"
5 |
6 | typedef struct _NTAPI_OFFSETS
7 | {
8 | ULONG SeAuditProcessCreationInfoOffset;
9 | ULONG BypassProcessFreezeFlagOffset;
10 | ULONG ThreadHideFromDebuggerFlagOffset;
11 | ULONG ThreadBreakOnTerminationFlagOffset;
12 | ULONG PicoContextOffset;
13 | ULONG RestrictSetThreadContextOffset;
14 | }NTAPI_OFFSETS;
15 |
16 | template
17 | PEPROCESS PidToProcess(T Pid)
18 | {
19 | PEPROCESS Process;
20 | PsLookupProcessByProcessId((HANDLE)Pid, &Process);
21 | return Process;
22 | }
23 |
24 | PEPROCESS GetCsrssProcess();
25 |
26 | ULONG64 GetPteAddress(ULONG64 Address);
27 |
28 | PVOID FindSignature(PVOID Memory, ULONG64 Size, PCSZ Pattern, PCSZ Mask);
29 |
30 | BOOLEAN GetProcessInfo(CONST CHAR* Name, _Out_ ULONG64& ImageSize, _Out_ PVOID& ImageBase);
31 |
32 | PEPROCESS GetProcessByName(CONST WCHAR* ProcessName);
33 |
34 | BOOLEAN RtlUnicodeStringContains(PUNICODE_STRING Str, PUNICODE_STRING SubStr, BOOLEAN CaseInsensitive);
35 |
36 | BOOLEAN GetSectionData(CONST CHAR* ModuleName, CONST CHAR* SectionName, ULONG64& SectionSize, PVOID& SectionBaseAddress);
37 |
38 | BOOLEAN ClearBypassProcessFreezeFlag(PEPROCESS Process);
39 |
40 | BOOLEAN ClearThreadHideFromDebuggerFlag(PEPROCESS Process);
41 |
42 | PVOID GetExportedFunctionAddress(PEPROCESS Process, PVOID ModuleBase, CONST CHAR* ExportedFunctionName);
43 |
44 | BOOLEAN ClearProcessBreakOnTerminationFlag(Hider::PHIDDEN_PROCESS HiddenProcess);
45 |
46 | BOOLEAN ClearThreadBreakOnTerminationFlags(PEPROCESS TargetProcess);
47 |
48 | VOID SaveProcessDebugFlags(Hider::PHIDDEN_PROCESS HiddenProcess);
49 |
50 | VOID SaveProcessHandleTracing(Hider::PHIDDEN_PROCESS HiddenProcess);
51 |
52 | BOOLEAN IsPicoContextNull(PETHREAD TargetThread);
53 |
54 | BOOLEAN IsSetThreadContextRestricted(PEPROCESS TargetProcess);
55 |
56 | BOOLEAN GetOffsets();
57 |
58 | PVOID GetUserModeModule(PEPROCESS Process, CONST WCHAR* ModuleName, BOOLEAN IsWow64);
59 |
60 | UNICODE_STRING PsQueryFullProcessImageName(PEPROCESS TargetProcess);
--------------------------------------------------------------------------------
/HyperHideDrv/vmintrin.asm:
--------------------------------------------------------------------------------
1 | .CODE
2 | __vm_call proc
3 | mov rax,0CDAEFAEDBBAEBEEFh
4 | vmcall
5 | ret
6 | __vm_call endp
7 |
8 | __vm_call_ex proc
9 | mov rax,0CDAEFAEDBBAEBEEFh ; Our vmcall indentitifer
10 |
11 | sub rsp, 30h
12 | mov qword ptr [rsp], r10
13 | mov qword ptr [rsp + 8h], r11
14 | mov qword ptr [rsp + 10h], r12
15 | mov qword ptr [rsp + 18h], r13
16 | mov qword ptr [rsp + 20h], r14
17 | mov qword ptr [rsp + 28h], r15
18 |
19 | mov r10, qword ptr [rsp + 58h]
20 | mov r11, qword ptr [rsp + 60h]
21 | mov r12, qword ptr [rsp + 68h]
22 | mov r13, qword ptr [rsp + 70h]
23 | mov r14, qword ptr [rsp + 78h]
24 | mov r15, qword ptr [rsp + 80h]
25 |
26 | vmcall
27 | mov r10, qword ptr [rsp]
28 | mov r11, qword ptr [rsp + 8h]
29 | mov r12, qword ptr [rsp + 10h]
30 | mov r13, qword ptr [rsp + 18h]
31 | mov r14, qword ptr [rsp + 20h]
32 | mov r15, qword ptr [rsp + 28h]
33 | add rsp, 30h
34 |
35 | ret
36 | __vm_call_ex endp
37 |
38 | END
--------------------------------------------------------------------------------
/HyperHideDrv/vmintrin.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | extern "C"
3 | {
4 | bool __vm_call(unsigned __int64 vmcall_reason, unsigned __int64 rdx, unsigned __int64 r8, unsigned __int64 r9);
5 | bool __vm_call_ex(unsigned __int64 vmcall_reason, unsigned __int64 rdx, unsigned __int64 r8, unsigned __int64 r9, unsigned __int64 r10, unsigned __int64 r11, unsigned __int64 r12, unsigned __int64 r13, unsigned __int64 r14, unsigned __int64 r15);
6 | BOOLEAN __invept(unsigned __int32 Type, void* Descriptors);
7 | }
--------------------------------------------------------------------------------
/Images/x32dbg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/Images/x32dbg.png
--------------------------------------------------------------------------------
/Images/x64dbg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Air14/HyperHide/cbbf364c8358ce479011139ef2ae1f72d5bceeec/Images/x64dbg.png
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 Air
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/Scripts/create.bat:
--------------------------------------------------------------------------------
1 | sc create airhv type= Kernel binpath= C:\Windows\system32\drivers\airhv.sys
2 | sc create HyperHideDrv type= Kernel binpath= C:\Windows\system32\drivers\HyperHideDrv.sys
3 | pause
--------------------------------------------------------------------------------
/Scripts/off.bat:
--------------------------------------------------------------------------------
1 | sc stop HyperHideDrv
2 | sc stop airhv
3 | pause
--------------------------------------------------------------------------------
/Scripts/on.bat:
--------------------------------------------------------------------------------
1 | sc start airhv
2 | sc start HyperHideDrv
3 | pause
--------------------------------------------------------------------------------