├── .gitattributes
├── .gitmodules
├── HyperDbgTool
├── CLoadDriver.h
├── CSymbols.cpp
├── CSymbols.h
├── Function.cpp
├── Function.h
├── HyperDbgTool.aps
├── HyperDbgTool.cpp
├── HyperDbgTool.h
├── HyperDbgTool.rc
├── HyperDbgTool.vcxproj
├── HyperDbgTool.vcxproj.filters
├── HyperDbgTool.vcxproj.user
├── HyperDbgToolDlg.cpp
├── HyperDbgToolDlg.h
├── Symbols
│ ├── dbghelp.dll
│ ├── symsrv.dll
│ └── symsrv.yes
├── dll-exports-main.zip
├── downloadSymbolsTest.cpp
├── downloadSymbolsTest.h
├── framework.h
├── loadDriver.cpp
├── loadDriver.h
├── mylog.cpp
├── mylog.h
├── ntdll.h
├── pch.cpp
├── pch.h
├── res
│ ├── HyperDbgTool.ico
│ └── HyperDbgTool.rc2
├── resource.h
├── symsrv.yes
└── targetver.h
├── HyperHide.ini
├── HyperHide.sln
├── HyperHide
├── HyperHide.vcxproj
├── HyperHide.vcxproj.filters
├── HyperHide.vcxproj.user
├── HyperHideDrv.cpp
├── HyperHideDrv.h
├── HyperHideIcon.png
├── IniApi.cpp
├── IniApi.h
├── Ioctl.h
├── Settings.cpp
├── Settings.h
├── Tooltips.cpp
├── Tooltips.h
├── pluginconfig.h
├── pluginmain.cpp
├── pluginmain.h
├── pluginsdk
│ ├── DeviceNameResolver
│ │ ├── DeviceNameResolver.h
│ │ ├── DeviceNameResolver_x64.a
│ │ ├── DeviceNameResolver_x64.lib
│ │ ├── DeviceNameResolver_x86.a
│ │ └── DeviceNameResolver_x86.lib
│ ├── TitanEngine
│ │ ├── TitanEngine.h
│ │ ├── TitanEngine_x64.a
│ │ ├── TitanEngine_x64.lib
│ │ ├── TitanEngine_x86.a
│ │ └── TitanEngine_x86.lib
│ ├── XEDParse
│ │ ├── XEDParse.h
│ │ ├── XEDParse_x64.a
│ │ ├── XEDParse_x64.lib
│ │ ├── XEDParse_x86.a
│ │ └── XEDParse_x86.lib
│ ├── _dbgfunctions.h
│ ├── _plugin_types.h
│ ├── _plugins.h
│ ├── _scriptapi.h
│ ├── _scriptapi_argument.h
│ ├── _scriptapi_assembler.h
│ ├── _scriptapi_bookmark.h
│ ├── _scriptapi_comment.h
│ ├── _scriptapi_debug.h
│ ├── _scriptapi_flag.h
│ ├── _scriptapi_function.h
│ ├── _scriptapi_gui.h
│ ├── _scriptapi_label.h
│ ├── _scriptapi_memory.h
│ ├── _scriptapi_misc.h
│ ├── _scriptapi_module.h
│ ├── _scriptapi_pattern.h
│ ├── _scriptapi_register.h
│ ├── _scriptapi_stack.h
│ ├── _scriptapi_symbol.h
│ ├── bridgegraph.h
│ ├── bridgelist.h
│ ├── bridgemain.h
│ ├── dbghelp
│ │ ├── dbghelp.h
│ │ ├── dbghelp_x64.a
│ │ ├── dbghelp_x64.lib
│ │ ├── dbghelp_x86.a
│ │ └── dbghelp_x86.lib
│ ├── jansson
│ │ ├── jansson.h
│ │ ├── jansson_config.h
│ │ ├── jansson_x64.a
│ │ ├── jansson_x64.lib
│ │ ├── jansson_x64dbg.h
│ │ ├── jansson_x86.a
│ │ └── jansson_x86.lib
│ ├── lz4
│ │ ├── lz4.h
│ │ ├── lz4_x64.a
│ │ ├── lz4_x64.lib
│ │ ├── lz4_x86.a
│ │ ├── lz4_x86.lib
│ │ ├── lz4file.h
│ │ └── lz4hc.h
│ ├── x32bridge.lib
│ ├── x32dbg.lib
│ ├── x64bridge.lib
│ └── x64dbg.lib
├── resource.aps
├── resource.h
└── resource.rc
├── HyperHideDrv
├── ActiveProcessDbgList.c
├── ActiveProcessDbgList.h
├── CFunction.cpp
├── CFunction.h
├── CKernelDbg.cpp
├── CKernelDbg.h
├── CKernelTable.cpp
├── CKernelTable.h
├── CPeModule.cpp
├── CPeModule.h
├── DBGTOOL.c
├── DRRWE.c
├── DRRWE.h
├── DbgIsMyProcess.c
├── Dispatcher.cpp
├── Dispatcher.h
├── Driver.cpp
├── GlobalData.h
├── Header.h
├── Heap.cpp
├── Heap.h
├── Hider.cpp
├── Hider.h
├── HookHelper.cpp
├── HookHelper.h
├── HookedFunctions.cpp
├── HookedFunctions.h
├── HyperHideDrv.vcxproj
├── HyperHideDrv.vcxproj.filters
├── HyperHideDrv.vcxproj.user
├── HypervisorGateway.cpp
├── HypervisorGateway.h
├── Ioctl.h
├── KernelApi.cpp
├── KernelApi.h
├── KernelDbgStruct.h
├── KernelExportAPI.h
├── KernelStruct.h
├── KernelStruct1.h
├── KuserSharedData.cpp
├── KuserSharedData.h
├── Log.cpp
├── Log.h
├── Memroy.cpp
├── Memroy.h
├── Notifiers.cpp
├── Notifiers.h
├── Ntapi.h
├── Ntenums.h
├── Ntstructs.h
├── Peb.cpp
├── Peb.h
├── Pte.h
├── RWNoAttach.cpp
├── Ssdt.cpp
├── Ssdt.h
├── Txoo.h
├── Utils.cpp
├── Utils.h
├── dbgk1to2.c
├── dbgk1to2.h
├── dbgtool.h
├── myEthread.h
├── struct.h
├── vmintrin.asm
├── vmintrin.h
├── wrRegstry.c
├── wrRegstry.h
└── 获取汇编指令长度.h
├── LICENSE
├── README.md
├── airhv
├── airhv-main
│ ├── LICENSE
│ ├── README.md
│ ├── airhv.sln
│ ├── airhv
│ │ ├── airhv.vcxproj
│ │ ├── airhv.vcxproj.filters
│ │ ├── airhv.vcxproj.user
│ │ ├── allocators.h
│ │ ├── asm
│ │ │ ├── vm_context.asm
│ │ │ ├── vm_context.h
│ │ │ ├── vm_intrin.asm
│ │ │ └── vm_intrin.h
│ │ ├── common.h
│ │ ├── ept.cpp
│ │ ├── hypervisor_gateway.cpp
│ │ ├── hypervisor_gateway.h
│ │ ├── hypervisor_routines.cpp
│ │ ├── hypervisor_routines.h
│ │ ├── ia32
│ │ │ ├── cpuid.h
│ │ │ ├── cr.h
│ │ │ ├── dr.h
│ │ │ ├── ept.h
│ │ │ ├── exception.h
│ │ │ ├── msr.h
│ │ │ ├── mtrr.h
│ │ │ ├── rflags.h
│ │ │ ├── segment.h
│ │ │ ├── vmcs.h
│ │ │ └── vmcs_encodings.h
│ │ ├── interrupt.h
│ │ ├── invalidators.cpp
│ │ ├── invalidators.h
│ │ ├── lde
│ │ │ └── lde64.asm
│ │ ├── log.cpp
│ │ ├── log.h
│ │ ├── main.cpp
│ │ ├── ntapi.h
│ │ ├── poolmanager.cpp
│ │ ├── poolmanager.h
│ │ ├── spinlock.cpp
│ │ ├── vmcall_handler.cpp
│ │ ├── vmcall_handler.h
│ │ ├── vmcall_reason.h
│ │ ├── vmcs.cpp
│ │ ├── vmexit_handler.cpp
│ │ ├── vmexit_handler.h
│ │ ├── vmm.cpp
│ │ ├── vmm.h
│ │ └── xsave.h
│ └── airhvctrl
│ │ ├── airhvctrl.vcxproj
│ │ ├── airhvctrl.vcxproj.filters
│ │ ├── hypervisor_gateway.cpp
│ │ ├── hypervisor_gateway.h
│ │ ├── log.cpp
│ │ ├── log.h
│ │ ├── main.cpp
│ │ ├── nt.h
│ │ ├── utils.cpp
│ │ ├── utils.h
│ │ └── vmintrin.asm
└── airhv.txt
└── vtDebugger.zip
/.gitattributes:
--------------------------------------------------------------------------------
1 | *.h linguist-language=c++
2 | *.cpp linguists-language=c++
3 | *.c linguist-language=c
4 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "airhv"]
2 | path = airhv
3 | url = https://github.com/Air14/airhv
4 |
--------------------------------------------------------------------------------
/HyperDbgTool/CLoadDriver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/CLoadDriver.h
--------------------------------------------------------------------------------
/HyperDbgTool/CSymbols.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/CSymbols.cpp
--------------------------------------------------------------------------------
/HyperDbgTool/CSymbols.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include "ntdll.h"
4 |
5 | typedef struct _Address_Name
6 | {
7 | IN char Name[MAX_PATH];
8 | PVOID Address;
9 |
10 | }Address_Name,*PAddress_Name;
11 |
12 |
13 | typedef struct _Module_INFO
14 | {
15 | char KernelName[MAX_PATH];
16 | char KernelPatch[MAX_PATH];
17 | PVOID KernelBass;
18 | ULONG KernelSize;
19 | }Module_INFO,*PModule_INFO;
20 |
21 | typedef bool (*ENUMSYMBOLSCALLBACK)(char* Name, PVOID Address);
22 | class CSymbols
23 | {
24 | public:
25 | CSymbols(const char* SymbolsPatch);
26 | CSymbols();
27 | ~CSymbols();
28 |
29 | BOOLEAN GetKernelModuleInfo(OUT PModule_INFO ModuleInfo);
30 | BOOLEAN GetSymbolsAll(ENUMSYMBOLSCALLBACK callback);
31 |
32 |
33 | private:
34 | BOOLEAN CSymbols::InitSymHandler1();
35 |
36 | protected:
37 | HANDLE m_hProcess;
38 | DWORD64 m_BaseOfDll;
39 |
40 | const char* m_SymbolsPatch=0;//"E:\\symbols"
41 | char* m_Name;
42 | PVOID* m_Address=0;
43 | ZWQUERYSYSTEMINFORMATION m_ZwQuerySystemInformation;
44 |
45 | static BOOL CALLBACK EnumAllSymbolsCallBack(
46 | PSYMBOL_INFO pSymInfo,
47 | ULONG SymbolSize,
48 | PVOID UserContext);
49 |
50 | };
51 |
52 |
53 |
54 |
55 |
--------------------------------------------------------------------------------
/HyperDbgTool/Function.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | typedef struct _SYMBOLS_DATA
4 | {
5 | PVOID DbgkExitThread;
6 | PVOID DbgkClearProcessDebugObject;
7 | PVOID DbgkSendSystemDllMessages;
8 | PVOID PspExitThread;
9 | PVOID PspTerminateAllThreads;
10 | PVOID PspProcessDelete;
11 | PULONG PspNotifyEnableMask;
12 | PVOID DbgkExitProcess;
13 | PVOID DbgkpPostFakeThreadMessages;
14 | PVOID DbgkpPostFakeProcessCreateMessages;
15 | PVOID PsCallImageNotifyRoutines;
16 | PVOID ObFastReferenceObjectLocked;
17 | PVOID ObFastReferenceObject;
18 | PVOID ObFastDereferenceObject;
19 | PVOID DbgkpSendApiMessageLpc;
20 | PVOID DbgkpSendErrorMessage;
21 | PVOID DbgkpQueueMessage;
22 | PVOID DbgkpSuspendProcess;
23 | PVOID KiDispatchException;
24 | PVOID DbgkForwardException;
25 | PVOID DbgkMapViewOfSection;
26 | PVOID DbgkCreateThread;
27 | PVOID DbgkUnMapViewOfSection;
28 | PVOID DbgkCopyProcessDebugPort;
29 | PVOID DbgkOpenProcessDebugPort;
30 | PVOID DbgkpSetProcessDebugObject;
31 | PVOID DbgkpMarkProcessPeb;
32 | PVOID PsSuspendThread;
33 | PVOID PsResumeThread;
34 | PVOID KeResumeThread;
35 | PVOID PsSynchronizeWithThreadInsertion;
36 | PVOID DbgkpPostModuleMessages;
37 | PVOID DbgkpFreeDebugEvent;
38 | PVOID DbgkpWakeTarget;
39 | PVOID ObDuplicateObject;
40 | PVOID KiCheckForKernelApcDelivery;
41 | PVOID PsQuerySystemDllInfo;
42 | //PVOID ExAcquireRundownProtection_0;
43 | PVOID PsGetNextProcessThread;
44 | //PVOID KeFreezeAllThreads;
45 | //PVOID KeThawAllThreads;
46 | PVOID PsThawProcess;
47 | PVOID PsFreezeProcess;
48 | PVOID ZwFlushInstructionCache;
49 |
50 |
51 |
52 | //////
53 | PVOID PspActiveProcessLock;
54 | PVOID ExfAcquirePushLockExclusive;
55 | PVOID ExfTryToWakePushLock;
56 | PVOID PspRemoveProcessFromJob;
57 | PVOID PspDeleteLdt;
58 | PVOID PsReturnProcessNonPagedPoolQuota;
59 | PVOID AlpcpCleanupProcessViews;
60 | PVOID ObDereferenceDeviceMap;
61 | PVOID PspDereferenceQuotaBlock;
62 | PVOID PsReturnProcessPagedPoolQuota;
63 | PVOID ExDestroyHandle;
64 | PVOID MmCleanProcessAddressSpace;
65 | PVOID MmDeleteProcessAddressSpace;
66 | PVOID MmGetFileNameForSection;
67 | PVOID PspCidTable;
68 | PVOID ObFastReplaceObject;
69 | PVOID LpcRequestWaitReplyPortEx;
70 | PVOID PsTestProtectedProcessIncompatibility;
71 | PVOID PsRequestDebugSecureProcess;
72 |
73 | }SYMBOLS_DATA,*PSYMBOLS_DATA;
74 |
75 | bool LoadSymbols(const char* symbolPath);
--------------------------------------------------------------------------------
/HyperDbgTool/HyperDbgTool.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/HyperDbgTool.aps
--------------------------------------------------------------------------------
/HyperDbgTool/HyperDbgTool.cpp:
--------------------------------------------------------------------------------
1 |
2 | // HyperDbgTool.cpp: 定义应用程序的类行为。
3 | //
4 |
5 | #include "pch.h"
6 | #include "framework.h"
7 | #include "HyperDbgTool.h"
8 | #include "HyperDbgToolDlg.h"
9 |
10 | #ifdef _DEBUG
11 | #define new DEBUG_NEW
12 | #endif
13 |
14 |
15 | // CHyperDbgToolApp
16 |
17 | BEGIN_MESSAGE_MAP(CHyperDbgToolApp, CWinApp)
18 | ON_COMMAND(ID_HELP, &CWinApp::OnHelp)
19 | END_MESSAGE_MAP()
20 |
21 |
22 | // CHyperDbgToolApp 构造
23 |
24 | CHyperDbgToolApp::CHyperDbgToolApp()
25 | {
26 | // 支持重新启动管理器
27 | m_dwRestartManagerSupportFlags = AFX_RESTART_MANAGER_SUPPORT_RESTART;
28 |
29 | // TODO: 在此处添加构造代码,
30 | // 将所有重要的初始化放置在 InitInstance 中
31 | }
32 |
33 |
34 | // 唯一的 CHyperDbgToolApp 对象
35 |
36 | CHyperDbgToolApp theApp;
37 |
38 |
39 | // CHyperDbgToolApp 初始化
40 |
41 | BOOL CHyperDbgToolApp::InitInstance()
42 | {
43 | // 如果一个运行在 Windows XP 上的应用程序清单指定要
44 | // 使用 ComCtl32.dll 版本 6 或更高版本来启用可视化方式,
45 | //则需要 InitCommonControlsEx()。 否则,将无法创建窗口。
46 | INITCOMMONCONTROLSEX InitCtrls;
47 | InitCtrls.dwSize = sizeof(InitCtrls);
48 | // 将它设置为包括所有要在应用程序中使用的
49 | // 公共控件类。
50 | InitCtrls.dwICC = ICC_WIN95_CLASSES;
51 | InitCommonControlsEx(&InitCtrls);
52 |
53 | CWinApp::InitInstance();
54 |
55 |
56 | AfxEnableControlContainer();
57 |
58 | // 创建 shell 管理器,以防对话框包含
59 | // 任何 shell 树视图控件或 shell 列表视图控件。
60 | CShellManager *pShellManager = new CShellManager;
61 |
62 | // 激活“Windows Native”视觉管理器,以便在 MFC 控件中启用主题
63 | CMFCVisualManager::SetDefaultManager(RUNTIME_CLASS(CMFCVisualManagerWindows));
64 |
65 | // 标准初始化
66 | // 如果未使用这些功能并希望减小
67 | // 最终可执行文件的大小,则应移除下列
68 | // 不需要的特定初始化例程
69 | // 更改用于存储设置的注册表项
70 | // TODO: 应适当修改该字符串,
71 | // 例如修改为公司或组织名
72 | SetRegistryKey(_T("应用程序向导生成的本地应用程序"));
73 |
74 | CHyperDbgToolDlg dlg;
75 | m_pMainWnd = &dlg;
76 | INT_PTR nResponse = dlg.DoModal();
77 | if (nResponse == IDOK)
78 | {
79 | // TODO: 在此放置处理何时用
80 | // “确定”来关闭对话框的代码
81 | }
82 | else if (nResponse == IDCANCEL)
83 | {
84 | // TODO: 在此放置处理何时用
85 | // “取消”来关闭对话框的代码
86 | }
87 | else if (nResponse == -1)
88 | {
89 | TRACE(traceAppMsg, 0, "警告: 对话框创建失败,应用程序将意外终止。\n");
90 | TRACE(traceAppMsg, 0, "警告: 如果您在对话框上使用 MFC 控件,则无法 #define _AFX_NO_MFC_CONTROLS_IN_DIALOGS。\n");
91 | }
92 |
93 | // 删除上面创建的 shell 管理器。
94 | if (pShellManager != nullptr)
95 | {
96 | delete pShellManager;
97 | }
98 |
99 | #if !defined(_AFXDLL) && !defined(_AFX_NO_MFC_CONTROLS_IN_DIALOGS)
100 | ControlBarCleanUp();
101 | #endif
102 |
103 | // 由于对话框已关闭,所以将返回 FALSE 以便退出应用程序,
104 | // 而不是启动应用程序的消息泵。
105 | return FALSE;
106 | }
107 |
108 |
--------------------------------------------------------------------------------
/HyperDbgTool/HyperDbgTool.h:
--------------------------------------------------------------------------------
1 |
2 | // HyperDbgTool.h: PROJECT_NAME 应用程序的主头文件
3 | //
4 |
5 | #pragma once
6 |
7 | #ifndef __AFXWIN_H__
8 | #error "在包含此文件之前包含 'pch.h' 以生成 PCH"
9 | #endif
10 |
11 | #include "resource.h" // 主符号
12 |
13 |
14 | // CHyperDbgToolApp:
15 | // 有关此类的实现,请参阅 HyperDbgTool.cpp
16 | //
17 |
18 | class CHyperDbgToolApp : public CWinApp
19 | {
20 | public:
21 | CHyperDbgToolApp();
22 |
23 | // 重写
24 | public:
25 | virtual BOOL InitInstance();
26 |
27 | // 实现
28 |
29 | DECLARE_MESSAGE_MAP()
30 | };
31 |
32 | extern CHyperDbgToolApp theApp;
33 |
--------------------------------------------------------------------------------
/HyperDbgTool/HyperDbgTool.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/HyperDbgTool.rc
--------------------------------------------------------------------------------
/HyperDbgTool/HyperDbgTool.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 头文件
20 |
21 |
22 | 头文件
23 |
24 |
25 | 头文件
26 |
27 |
28 | 头文件
29 |
30 |
31 | 头文件
32 |
33 |
34 | 头文件
35 |
36 |
37 | 头文件
38 |
39 |
40 | 头文件
41 |
42 |
43 | 头文件
44 |
45 |
46 | 源文件
47 |
48 |
49 | 源文件
50 |
51 |
52 | 源文件
53 |
54 |
55 | 源文件
56 |
57 |
58 |
59 |
60 | 源文件
61 |
62 |
63 | 源文件
64 |
65 |
66 | 源文件
67 |
68 |
69 | 源文件
70 |
71 |
72 | 源文件
73 |
74 |
75 | 源文件
76 |
77 |
78 | 源文件
79 |
80 |
81 | 源文件
82 |
83 |
84 |
85 |
86 | 资源文件
87 |
88 |
89 |
90 |
91 | 资源文件
92 |
93 |
94 |
95 |
96 | 资源文件
97 |
98 |
99 |
--------------------------------------------------------------------------------
/HyperDbgTool/HyperDbgTool.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | HyperDbgTool.rc
5 |
6 |
7 | WindowsRemoteDebugger
8 |
9 |
--------------------------------------------------------------------------------
/HyperDbgTool/HyperDbgToolDlg.h:
--------------------------------------------------------------------------------
1 |
2 | // HyperDbgToolDlg.h: 头文件
3 | //
4 |
5 | #pragma once
6 |
7 |
8 | // CHyperDbgToolDlg 对话框
9 | class CHyperDbgToolDlg : public CDialogEx
10 | {
11 | // 构造
12 | public:
13 | CHyperDbgToolDlg(CWnd* pParent = nullptr); // 标准构造函数
14 |
15 | // 对话框数据
16 | #ifdef AFX_DESIGN_TIME
17 | enum { IDD = IDD_HYPERDBGTOOL_DIALOG };
18 | #endif
19 |
20 | protected:
21 | virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
22 |
23 |
24 | // 实现
25 | protected:
26 | HICON m_hIcon;
27 |
28 | // 生成的消息映射函数
29 | virtual BOOL OnInitDialog();
30 | afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
31 | afx_msg void OnPaint();
32 | afx_msg HCURSOR OnQueryDragIcon();
33 | DECLARE_MESSAGE_MAP()
34 | public:
35 | afx_msg void OnBnClickedButtonStart();
36 | afx_msg void OnBnClickedButtonStop();
37 | };
38 |
--------------------------------------------------------------------------------
/HyperDbgTool/Symbols/dbghelp.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/Symbols/dbghelp.dll
--------------------------------------------------------------------------------
/HyperDbgTool/Symbols/symsrv.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/Symbols/symsrv.dll
--------------------------------------------------------------------------------
/HyperDbgTool/Symbols/symsrv.yes:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/Symbols/symsrv.yes
--------------------------------------------------------------------------------
/HyperDbgTool/dll-exports-main.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/dll-exports-main.zip
--------------------------------------------------------------------------------
/HyperDbgTool/downloadSymbolsTest.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/downloadSymbolsTest.cpp
--------------------------------------------------------------------------------
/HyperDbgTool/downloadSymbolsTest.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | int downloadSymbolsTest();
--------------------------------------------------------------------------------
/HyperDbgTool/framework.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #ifndef VC_EXTRALEAN
4 | #define VC_EXTRALEAN // 从 Windows 头中排除极少使用的资料
5 | #endif
6 |
7 | #include "targetver.h"
8 |
9 | #define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // 某些 CString 构造函数将是显式的
10 |
11 | // 关闭 MFC 的一些常见且经常可放心忽略的隐藏警告消息
12 | #define _AFX_ALL_WARNINGS
13 |
14 | #include // MFC 核心组件和标准组件
15 | #include // MFC 扩展
16 |
17 |
18 | #include // MFC 自动化类
19 |
20 |
21 |
22 | #ifndef _AFX_NO_OLE_SUPPORT
23 | #include // MFC 对 Internet Explorer 4 公共控件的支持
24 | #endif
25 | #ifndef _AFX_NO_AFXCMN_SUPPORT
26 | #include // MFC 对 Windows 公共控件的支持
27 | #endif // _AFX_NO_AFXCMN_SUPPORT
28 |
29 | #include // MFC 支持功能区和控制条
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 | #ifdef _UNICODE
40 | #if defined _M_IX86
41 | #pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"")
42 | #elif defined _M_X64
43 | #pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"")
44 | #else
45 | #pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"")
46 | #endif
47 | #endif
48 |
49 |
50 |
--------------------------------------------------------------------------------
/HyperDbgTool/loadDriver.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/loadDriver.cpp
--------------------------------------------------------------------------------
/HyperDbgTool/loadDriver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/loadDriver.h
--------------------------------------------------------------------------------
/HyperDbgTool/mylog.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/mylog.cpp
--------------------------------------------------------------------------------
/HyperDbgTool/mylog.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | void WriteLog(bool bOutput, bool bWantProcessName, const char* fmt, ...);
--------------------------------------------------------------------------------
/HyperDbgTool/ntdll.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/ntdll.h
--------------------------------------------------------------------------------
/HyperDbgTool/pch.cpp:
--------------------------------------------------------------------------------
1 | // pch.cpp: 与预编译标头对应的源文件
2 |
3 | #include "pch.h"
4 |
5 | // 当使用预编译的头时,需要使用此源文件,编译才能成功。
6 |
--------------------------------------------------------------------------------
/HyperDbgTool/pch.h:
--------------------------------------------------------------------------------
1 | // pch.h: 这是预编译标头文件。
2 | // 下方列出的文件仅编译一次,提高了将来生成的生成性能。
3 | // 这还将影响 IntelliSense 性能,包括代码完成和许多代码浏览功能。
4 | // 但是,如果此处列出的文件中的任何一个在生成之间有更新,它们全部都将被重新编译。
5 | // 请勿在此处添加要频繁更新的文件,这将使得性能优势无效。
6 |
7 | #ifndef PCH_H
8 | #define PCH_H
9 |
10 | // 添加要在此处预编译的标头
11 | #include "framework.h"
12 |
13 | #endif //PCH_H
14 |
--------------------------------------------------------------------------------
/HyperDbgTool/res/HyperDbgTool.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/res/HyperDbgTool.ico
--------------------------------------------------------------------------------
/HyperDbgTool/res/HyperDbgTool.rc2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/res/HyperDbgTool.rc2
--------------------------------------------------------------------------------
/HyperDbgTool/resource.h:
--------------------------------------------------------------------------------
1 | //{{NO_DEPENDENCIES}}
2 | // Microsoft Visual C++ 生成的包含文件。
3 | // 供 HyperDbgTool.rc 使用
4 | //
5 | #define IDM_ABOUTBOX 0x0010
6 | #define IDD_ABOUTBOX 100
7 | #define IDS_ABOUTBOX 101
8 | #define IDD_HYPERDBGTOOL_DIALOG 102
9 | #define IDR_MAINFRAME 128
10 | #define IDC_BUTTON_START 1000
11 | #define IDC_BUTTON_STOP 1001
12 |
13 | // Next default values for new objects
14 | //
15 | #ifdef APSTUDIO_INVOKED
16 | #ifndef APSTUDIO_READONLY_SYMBOLS
17 | #define _APS_NEXT_RESOURCE_VALUE 130
18 | #define _APS_NEXT_COMMAND_VALUE 32771
19 | #define _APS_NEXT_CONTROL_VALUE 1002
20 | #define _APS_NEXT_SYMED_VALUE 101
21 | #endif
22 | #endif
23 |
--------------------------------------------------------------------------------
/HyperDbgTool/symsrv.yes:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperDbgTool/symsrv.yes
--------------------------------------------------------------------------------
/HyperDbgTool/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // 包括 SDKDDKVer.h 将定义可用的最高版本的 Windows 平台。
4 |
5 | // 如果要为以前的 Windows 平台生成应用程序,请包括 WinSDKVer.h,并将
6 | // 将 _WIN32_WINNT 宏设置为要支持的平台,然后再包括 SDKDDKVer.h。
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/HyperHide.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31313.79
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HyperHide", "HyperHide\HyperHide.vcxproj", "{062CB708-969A-4A0D-8A4C-3C2ADE786BCA}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HyperHideDrv", "HyperHideDrv\HyperHideDrv.vcxproj", "{1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}"
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HyperDbgTool", "HyperDbgTool\HyperDbgTool.vcxproj", "{1D006F03-96FA-418D-A0A5-244CE96877E5}"
11 | EndProject
12 | Global
13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
14 | Debug|x64 = Debug|x64
15 | Debug|x86 = Debug|x86
16 | Release|x64 = Release|x64
17 | Release|x86 = Release|x86
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Debug|x64.ActiveCfg = Debug|x64
21 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Debug|x64.Build.0 = Debug|x64
22 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Debug|x86.ActiveCfg = Debug|Win32
23 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Debug|x86.Build.0 = Debug|Win32
24 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Release|x64.ActiveCfg = Release|x64
25 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Release|x64.Build.0 = Release|x64
26 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Release|x86.ActiveCfg = Release|Win32
27 | {062CB708-969A-4A0D-8A4C-3C2ADE786BCA}.Release|x86.Build.0 = Release|Win32
28 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Debug|x64.ActiveCfg = Debug|x64
29 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Debug|x64.Build.0 = Debug|x64
30 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Debug|x64.Deploy.0 = Debug|x64
31 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Debug|x86.ActiveCfg = Debug|x64
32 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Release|x64.ActiveCfg = Release|x64
33 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Release|x64.Build.0 = Release|x64
34 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Release|x64.Deploy.0 = Release|x64
35 | {1B2A7FD5-27DE-4C1E-B1CA-9B732A690671}.Release|x86.ActiveCfg = Release|x64
36 | {1D006F03-96FA-418D-A0A5-244CE96877E5}.Debug|x64.ActiveCfg = Debug|x64
37 | {1D006F03-96FA-418D-A0A5-244CE96877E5}.Debug|x64.Build.0 = Debug|x64
38 | {1D006F03-96FA-418D-A0A5-244CE96877E5}.Debug|x86.ActiveCfg = Debug|Win32
39 | {1D006F03-96FA-418D-A0A5-244CE96877E5}.Debug|x86.Build.0 = Debug|Win32
40 | {1D006F03-96FA-418D-A0A5-244CE96877E5}.Release|x64.ActiveCfg = Release|x64
41 | {1D006F03-96FA-418D-A0A5-244CE96877E5}.Release|x64.Build.0 = Release|x64
42 | {1D006F03-96FA-418D-A0A5-244CE96877E5}.Release|x86.ActiveCfg = Release|Win32
43 | {1D006F03-96FA-418D-A0A5-244CE96877E5}.Release|x86.Build.0 = Release|Win32
44 | EndGlobalSection
45 | GlobalSection(SolutionProperties) = preSolution
46 | HideSolutionNode = FALSE
47 | EndGlobalSection
48 | GlobalSection(ExtensibilityGlobals) = postSolution
49 | SolutionGuid = {76619BE2-56D9-493D-AB43-205FF39B24D1}
50 | EndGlobalSection
51 | EndGlobal
52 |
--------------------------------------------------------------------------------
/HyperHide/HyperHide.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/HyperHide/HyperHideDrv.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include "HyperHideDrv.h"
3 | #include "Ioctl.h"
4 |
5 |
6 | HyperHideDrv::HyperHideDrv()
7 | {
8 | }
9 |
10 | HyperHideDrv::~HyperHideDrv()
11 | {
12 | SetHyperVisorVisibility(TRUE);
13 | if (this->DriverHandle != 0 && this->DriverHandle != INVALID_HANDLE_VALUE)
14 | CloseHandle(this->DriverHandle);
15 | }
16 |
17 | BOOLEAN HyperHideDrv::CreateHandleToDriver()
18 | {
19 | this->DriverHandle = CreateFileA("\\\\.\\HyperDbg", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
20 | if (this->DriverHandle == INVALID_HANDLE_VALUE)
21 | return FALSE;
22 | return TRUE;
23 | }
24 |
25 | BOOLEAN HyperHideDrv::CallDriver(size_t Ioctl)
26 | {
27 | if (this->Pid == 0)
28 | return FALSE;
29 |
30 | DWORD BytesReturned = 0;
31 | return DeviceIoControl
32 | (
33 | this->DriverHandle,
34 | Ioctl,
35 | &Pid, sizeof(UINT32),
36 | 0, 0,
37 | &BytesReturned, NULL
38 | );
39 | }
40 |
41 | void HyperHideDrv::SetHyperVisorVisibility(BOOLEAN Value)
42 | {
43 | DWORD BytesReturned = 0;
44 | DeviceIoControl
45 | (
46 | this->DriverHandle,
47 | IOCTL_SET_HYPERVISOR_VISIBILITY,
48 | &Value, sizeof(BOOLEAN),
49 | 0, 0,
50 | &BytesReturned, NULL
51 | );
52 | }
53 |
54 | BOOLEAN HyperHideDrv::Hide(HIDE_INFO& HideInfo)
55 | {
56 | if (this->Pid == NULL)
57 | return FALSE;
58 |
59 | DWORD BytesReturned = 0;
60 | HideInfo.Pid = Pid;
61 |
62 | return DeviceIoControl
63 | (
64 | this->DriverHandle,
65 | IOCTL_HIDE_FROM_SYSCALL,
66 | &HideInfo, sizeof(HIDE_INFO),
67 | 0, 0,
68 | &BytesReturned, NULL
69 | );
70 | }
71 |
72 | HANDLE HyperHideDrv::GetDriverHandleValue()
73 | {
74 | return this->DriverHandle;
75 | }
76 |
77 | void HyperHideDrv::SetTargetPid(UINT32 Pid)
78 | {
79 | this->Pid = Pid;
80 | }
--------------------------------------------------------------------------------
/HyperHide/HyperHideDrv.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 |
5 | typedef struct _HIDE_INFO
6 | {
7 | ULONG Pid;
8 | BOOLEAN HookNtQueryInformationProcess;
9 | BOOLEAN HookNtQuerySystemInformation;
10 | BOOLEAN HookNtQueryInformationThread;
11 | BOOLEAN HookNtQueryInformationJobObject;
12 | BOOLEAN HookNtQueryObject;
13 | BOOLEAN HookNtQuerySystemTime;
14 | BOOLEAN HookNtQueryPerformanceCounter;
15 | BOOLEAN HookNtCreateUserProcess;
16 | BOOLEAN HookNtCreateProcessEx;
17 | BOOLEAN HookNtCreateThreadEx;
18 | BOOLEAN HookNtSetContextThread;
19 | BOOLEAN HookNtGetContextThread;
20 | BOOLEAN HookNtOpenProcess;
21 | BOOLEAN HookNtOpenThread;
22 | BOOLEAN HookNtSetInformationThread;
23 | BOOLEAN HookNtSystemDebugControl;
24 | BOOLEAN HookNtGetNextProcess;
25 | BOOLEAN HookNtYieldExecution;
26 | BOOLEAN HookNtCreateFile;
27 | BOOLEAN HookNtContinue;
28 | BOOLEAN HookNtClose;
29 | BOOLEAN HookNtUserBuildHwndList;
30 | BOOLEAN HookNtUserFindWindowEx;
31 | BOOLEAN HookNtUserQueryWindow;
32 | BOOLEAN HookNtUserGetForegroundWindow;
33 | BOOLEAN HookKuserSharedData;
34 | BOOLEAN HookKiDispatchException;
35 | BOOLEAN HookNtSetInformationProcess;
36 | BOOLEAN ClearPebBeingDebugged;
37 | BOOLEAN ClearPebNtGlobalFlag;
38 | BOOLEAN ClearHeapFlags;
39 | BOOLEAN ClearKuserSharedData;
40 | BOOLEAN ClearHideFromDebuggerFlag;
41 | BOOLEAN ClearBypassProcessFreeze;
42 | BOOLEAN ClearProcessBreakOnTerminationFlag;
43 | BOOLEAN ClearThreadBreakOnTerminationFlag;
44 | BOOLEAN SaveProcessDebugFlags;
45 | BOOLEAN SaveProcessHandleTracing;
46 | }HIDE_INFO, * PHIDE_INFO;
47 |
48 | class HyperHideDrv
49 | {
50 | public:
51 | HyperHideDrv();
52 | ~HyperHideDrv();
53 | BOOLEAN CreateHandleToDriver();
54 | BOOLEAN CallDriver(size_t Ioctl);
55 | BOOLEAN Hide(HIDE_INFO& HideInfo);
56 | void SetTargetPid(UINT32 Pid);
57 | void SetHyperVisorVisibility(BOOLEAN Value);
58 | HANDLE GetDriverHandleValue();
59 |
60 | private:
61 | const std::string HyperHideDrvLink = "\\\\.\\HyperDbg";
62 | HANDLE DriverHandle = 0;
63 | UINT32 Pid = 0;
64 | };
--------------------------------------------------------------------------------
/HyperHide/HyperHideIcon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/HyperHideIcon.png
--------------------------------------------------------------------------------
/HyperHide/IniApi.cpp:
--------------------------------------------------------------------------------
1 | #include "IniApi.h"
2 |
3 | std::vector IniLoadSectionNames(const std::string File)
4 | {
5 | std::string Buf;
6 | std::vector Sections;
7 | DWORD Ret = 0;
8 |
9 | while (((DWORD)Buf.size() - Ret) < 3)
10 | {
11 | Buf.resize(Buf.size() + MAX_PATH);
12 | Ret = GetPrivateProfileSectionNamesA(&Buf[0], (DWORD)Buf.size(), File.c_str());
13 | }
14 |
15 | const char* Data = Buf.c_str();
16 | for (; Data[0]; Data += lstrlenA(Data) + 1)
17 | Sections.push_back(Data);
18 |
19 | return Sections;
20 | }
21 |
22 | std::string IniLoadString(const std::string File, const std::string Section, const std::string Key, const std::string DefaultValue)
23 | {
24 | std::string Buf;
25 | DWORD Ret = 0;
26 |
27 | while (((DWORD)Buf.size() - Ret) < 3) {
28 | Buf.resize(Buf.size() + MAX_PATH);
29 | Ret = GetPrivateProfileStringA(Section.c_str(), Key.c_str(), DefaultValue.c_str(), &Buf[0], (DWORD)Buf.size(), File.c_str());
30 | }
31 | Buf.resize(Ret);
32 |
33 | return Buf;
34 | }
35 |
36 | BOOL IniSaveString(const std::string File, const std::string Section, const std::string Key, const std::string Value)
37 | {
38 | return WritePrivateProfileStringA(Section.c_str(), Key.c_str(), Value.c_str(), File.c_str()) == TRUE;
39 | }
--------------------------------------------------------------------------------
/HyperHide/IniApi.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 | std::vector IniLoadSectionNames(const std::string File);
11 |
12 | std::string IniLoadString(const std::string File, const std::string Section, const std::string Key, const std::string DefaultValue);
13 |
14 | BOOL IniSaveString(const std::string File, const std::string Section, const std::string Key, const std::string Value);
15 |
16 | template
17 | ValueType IniLoadValue(const std::string File, const std::string Section, const std::string Key, ValueType DefaultValue)
18 | {
19 | DWORD Ret = 0;
20 | ValueType Value;
21 | std::string DefaultValueStr = std::to_string(DefaultValue);
22 | std::string Buf;
23 |
24 | Buf = IniLoadString(File, Section, Key, DefaultValueStr);
25 |
26 | std::istringstream ss(Buf);
27 |
28 | ss >> Value;
29 |
30 | return Value;
31 | }
32 |
33 | template
34 | BOOL IniSaveValue(const std::string File, const std::string Section, const std::string Key, ValueType Value)
35 | {
36 | return IniSaveString(File, Section, Key, std::to_string(Value));
37 | }
--------------------------------------------------------------------------------
/HyperHide/Ioctl.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define IOCTL_ADD_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x900, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
4 | #define IOCTL_CLEAR_PEB_DEBUGGER_FLAG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x901, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
5 | #define IOCTL_SET_PEB_DEBUGGER_FLAG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x902, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
6 | #define IOCTL_HIDE_FROM_SYSCALL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x903, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
7 | #define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x904, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
8 | #define IOCTL_REMOVE_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x905, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
9 | #define IOCTL_PROCESS_STOPPED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x906, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
10 | #define IOCTL_PROCESS_RESUMED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x907, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
11 | #define IOCTL_SET_HYPERVISOR_VISIBILITY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x908, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
--------------------------------------------------------------------------------
/HyperHide/Settings.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 |
11 | class Settings
12 | {
13 | public:
14 | struct Profile
15 | {
16 | BOOLEAN HookNtQueryInformationProcess;
17 | BOOLEAN HookNtQuerySystemInformation;
18 | BOOLEAN HookNtQueryInformationThread;
19 | BOOLEAN HookNtQueryInformationJobObject;
20 | BOOLEAN HookNtQueryObject;
21 | BOOLEAN HookNtQuerySystemTime;
22 | BOOLEAN HookNtQueryPerformanceCounter;
23 | BOOLEAN HookNtCreateUserProcess;
24 | BOOLEAN HookNtCreateProcessEx;
25 | BOOLEAN HookNtCreateThreadEx;
26 | BOOLEAN HookNtSetContextThread;
27 | BOOLEAN HookNtGetContextThread;
28 | BOOLEAN HookNtOpenProcess;
29 | BOOLEAN HookNtOpenThread;
30 | BOOLEAN HookNtSetInformationThread;
31 | BOOLEAN HookNtSystemDebugControl;
32 | BOOLEAN HookNtGetNextProcess;
33 | BOOLEAN HookNtYieldExecution;
34 | BOOLEAN HookNtCreateFile;
35 | BOOLEAN HookNtContinue;
36 | BOOLEAN HookNtClose;
37 | BOOLEAN HookNtUserBuildHwndList;
38 | BOOLEAN HookNtUserFindWindowEx;
39 | BOOLEAN HookNtUserQueryWindow;
40 | BOOLEAN HookNtUserGetForegroundWindow;
41 | BOOLEAN HookKuserSharedData;
42 | BOOLEAN HookKiExceptionDispatch;
43 | BOOLEAN HookNtSetInformationProcess;
44 | BOOLEAN ClearPebBeingDebugged;
45 | BOOLEAN ClearPebNtGlobalFlag;
46 | BOOLEAN ClearHeapFlags;
47 | BOOLEAN ClearKuserSharedData;
48 | BOOLEAN ClearHideFromDebuggerFlag;
49 | BOOLEAN ClearBypassProcessFreeze;
50 | BOOLEAN ClearProcessBreakOnTerminationFlag;
51 | BOOLEAN ClearThreadBreakOnTerminationFlag;
52 | BOOLEAN SaveProcessDebugFlags;
53 | BOOLEAN SaveProcessHandleTracing;
54 | };
55 |
56 | VOID LoadProfile(std::string ProfileName);
57 |
58 | BOOL SaveProfile();
59 |
60 | BOOL AddProfile(std::string ProfileName);
61 |
62 | VOID SetProfile(std::string ProfileName);
63 |
64 | VOID Load(std::string IniPath);
65 |
66 | std::vector& GetProfileNames();
67 |
68 | Profile& GetCurrentProfile();
69 |
70 | std::string GetCurrentProfileName();
71 |
72 | private:
73 | std::string IniFile;
74 | CONST std::string IniFileName = "HyperHide.ini";
75 | CONST std::string SettingsSectionName = "SETTINGS";
76 | CONST std::string DefaultProfile = "Default";
77 | CONST std::string CurrentProfileKey = "CurrentProfile";
78 | std::vector ProfileNames;
79 | std::string CurrentProfileName;
80 | Profile CurrentProfile;
81 | };
--------------------------------------------------------------------------------
/HyperHide/Tooltips.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | HWND CreateTooltips(HWND hDlg);
--------------------------------------------------------------------------------
/HyperHide/pluginconfig.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define PLUGIN_NAME "HyperHide"
3 | #define PLUGIN_VERSION 1
4 |
--------------------------------------------------------------------------------
/HyperHide/pluginmain.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Plugin information
4 | #ifndef PLUGIN_NAME
5 | #include "pluginconfig.h"
6 | #else
7 | #define PLUGIN_NAME "UnnamedPlugin"
8 | #endif // PLUGIN_NAME
9 | #define PLUGIN_VERSION 1
10 |
11 | #include "pluginsdk/bridgemain.h"
12 | #include "pluginsdk/_plugins.h"
13 |
14 | #include "pluginsdk/_scriptapi_argument.h"
15 | #include "pluginsdk/_scriptapi_assembler.h"
16 | #include "pluginsdk/_scriptapi_bookmark.h"
17 | #include "pluginsdk/_scriptapi_comment.h"
18 | #include "pluginsdk/_scriptapi_debug.h"
19 | #include "pluginsdk/_scriptapi_flag.h"
20 | #include "pluginsdk/_scriptapi_function.h"
21 | #include "pluginsdk/_scriptapi_gui.h"
22 | #include "pluginsdk/_scriptapi_label.h"
23 | #include "pluginsdk/_scriptapi_memory.h"
24 | #include "pluginsdk/_scriptapi_misc.h"
25 | #include "pluginsdk/_scriptapi_module.h"
26 | #include "pluginsdk/_scriptapi_pattern.h"
27 | #include "pluginsdk/_scriptapi_register.h"
28 | #include "pluginsdk/_scriptapi_stack.h"
29 | #include "pluginsdk/_scriptapi_symbol.h"
30 |
31 | #include "pluginsdk/DeviceNameResolver/DeviceNameResolver.h"
32 | #include "pluginsdk/jansson/jansson.h"
33 | #include "pluginsdk/lz4/lz4file.h"
34 | #include "pluginsdk/TitanEngine/TitanEngine.h"
35 | #include "pluginsdk/XEDParse/XEDParse.h"
36 |
37 | #ifdef _WIN64
38 | #pragma comment(lib, "pluginsdk/x64dbg.lib")
39 | #pragma comment(lib, "pluginsdk/x64bridge.lib")
40 | #pragma comment(lib, "pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib")
41 | #pragma comment(lib, "pluginsdk/jansson/jansson_x64.lib")
42 | #pragma comment(lib, "pluginsdk/lz4/lz4_x64.lib")
43 | #pragma comment(lib, "pluginsdk/TitanEngine/TitanEngine_x64.lib")
44 | #pragma comment(lib, "pluginsdk/XEDParse/XEDParse_x64.lib")
45 | #else
46 | #pragma comment(lib, "pluginsdk/x32dbg.lib")
47 | #pragma comment(lib, "pluginsdk/x32bridge.lib")
48 | #pragma comment(lib, "pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib")
49 | #pragma comment(lib, "pluginsdk/jansson/jansson_x86.lib")
50 | #pragma comment(lib, "pluginsdk/lz4/lz4_x86.lib")
51 | #pragma comment(lib, "pluginsdk/TitanEngine/TitanEngine_x86.lib")
52 | #pragma comment(lib, "pluginsdk/XEDParse/XEDParse_x86.lib")
53 | #endif //_WIN64
54 |
55 | #define Cmd(x) DbgCmdExecDirect(x)
56 | #define Eval(x) DbgValFromString(x)
57 | #define dprintf(x, ...) _plugin_logprintf("[" PLUGIN_NAME "] " x, __VA_ARGS__)
58 | #define dputs(x) _plugin_logputs("[" PLUGIN_NAME "] " x)
59 | #define PLUG_EXPORT extern "C" __declspec(dllexport)
60 |
61 | //superglobal variables
62 | extern int pluginHandle;
63 | extern HWND hwndDlg;
64 | extern int hMenu;
65 | extern int hMenuDisasm;
66 | extern int hMenuDump;
67 | extern int hMenuStack;
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver.h:
--------------------------------------------------------------------------------
1 | #ifndef _DEVICENAMERESOLVER_H
2 | #define _DEVICENAMERESOLVER_H
3 |
4 | #include
5 |
6 | #ifdef __cplusplus
7 | extern "C"
8 | {
9 | #endif
10 |
11 | __declspec(dllexport) bool DevicePathToPathW(const wchar_t* szDevicePath, wchar_t* szPath, size_t nSizeInChars);
12 | __declspec(dllexport) bool DevicePathToPathA(const char* szDevicePath, char* szPath, size_t nSizeInChars);
13 | __declspec(dllexport) bool DevicePathFromFileHandleW(HANDLE hFile, wchar_t* szDevicePath, size_t nSizeInChars);
14 | __declspec(dllexport) bool DevicePathFromFileHandleA(HANDLE hFile, char* szDevicePath, size_t nSizeInChars);
15 | __declspec(dllexport) bool PathFromFileHandleW(HANDLE hFile, wchar_t* szPath, size_t nSizeInChars);
16 | __declspec(dllexport) bool PathFromFileHandleA(HANDLE hFile, char* szPath, size_t nSizeInChars);
17 |
18 | #ifdef __cplusplus
19 | }
20 | #endif
21 |
22 | #endif // _DEVICENAMERESOLVER_H
23 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/DeviceNameResolver/DeviceNameResolver_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/TitanEngine/TitanEngine_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/TitanEngine/TitanEngine_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/TitanEngine/TitanEngine_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/TitanEngine/TitanEngine_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/TitanEngine/TitanEngine_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/TitanEngine/TitanEngine_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/TitanEngine/TitanEngine_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/TitanEngine/TitanEngine_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse.h:
--------------------------------------------------------------------------------
1 | #ifndef _XEDPARSE_H
2 | #define _XEDPARSE_H
3 |
4 | #include
5 |
6 | //XEDParse defines
7 | #ifdef XEDPARSE_BUILD
8 | #define XEDPARSE_EXPORT __declspec(dllexport)
9 | #else
10 | #define XEDPARSE_EXPORT __declspec(dllimport)
11 | #endif //XEDPARSE_BUILD
12 |
13 | #define XEDPARSE_CALL //calling convention
14 |
15 | #define XEDPARSE_MAXBUFSIZE 256
16 | #define XEDPARSE_MAXASMSIZE 16
17 |
18 | //typedefs
19 | typedef bool (XEDPARSE_CALL* CBXEDPARSE_UNKNOWN)(const char* text, ULONGLONG* value);
20 |
21 | //XEDParse enums
22 | enum XEDPARSE_STATUS
23 | {
24 | XEDPARSE_ERROR = 0,
25 | XEDPARSE_OK = 1
26 | };
27 |
28 | //XEDParse structs
29 | #pragma pack(push,8)
30 | struct XEDPARSE
31 | {
32 | bool x64; // use 64-bit instructions
33 | ULONGLONG cip; //instruction pointer (for relative addressing)
34 | unsigned int dest_size; //destination size (returned by XEDParse)
35 | CBXEDPARSE_UNKNOWN cbUnknown; //unknown operand callback
36 | unsigned char dest[XEDPARSE_MAXASMSIZE]; //destination buffer
37 | char instr[XEDPARSE_MAXBUFSIZE]; //instruction text
38 | char error[XEDPARSE_MAXBUFSIZE]; //error text (in case of an error)
39 | };
40 | #pragma pack(pop)
41 |
42 | #ifdef __cplusplus
43 | extern "C"
44 | {
45 | #endif
46 |
47 | XEDPARSE_EXPORT XEDPARSE_STATUS XEDPARSE_CALL XEDParseAssemble(XEDPARSE* XEDParse);
48 |
49 | #ifdef __cplusplus
50 | }
51 | #endif
52 |
53 | #endif // _XEDPARSE_H
54 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/XEDParse/XEDParse_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/XEDParse/XEDParse_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/XEDParse/XEDParse_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/XEDParse/XEDParse_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/XEDParse/XEDParse_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_plugin_types.h:
--------------------------------------------------------------------------------
1 | #ifndef _PLUGIN_DATA_H
2 | #define _PLUGIN_DATA_H
3 |
4 | #ifdef BUILD_DBG
5 |
6 | #include "_global.h"
7 | #include "jansson/jansson.h"
8 | #pragma warning(push)
9 | #pragma warning(disable:4091)
10 | #include
11 | #pragma warning(pop)
12 |
13 | #else
14 |
15 | #ifdef __GNUC__
16 | #include "dbghelp/dbghelp.h"
17 | #else
18 | #pragma warning(push)
19 | #pragma warning(disable:4091)
20 | #include
21 | #pragma warning(pop)
22 | #endif // __GNUC__
23 |
24 | #ifndef deflen
25 | #define deflen 1024
26 | #endif // deflen
27 |
28 | #include "bridgemain.h"
29 | #include "_dbgfunctions.h"
30 | #include "jansson/jansson.h"
31 |
32 | #endif // BUILD_DBG
33 |
34 | #endif // _PLUGIN_DATA_H
35 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPT_API_H
2 | #define _SCRIPT_API_H
3 |
4 | #include "_plugins.h"
5 |
6 | #define SCRIPT_EXPORT PLUG_IMPEXP
7 |
8 | #endif //_SCRIPT_API_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_argument.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_ARGUMENT_H
2 | #define _SCRIPTAPI_ARGUMENT_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Argument
9 | {
10 | struct ArgumentInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rvaStart;
14 | duint rvaEnd;
15 | bool manual;
16 | duint instructioncount;
17 | };
18 |
19 | SCRIPT_EXPORT bool Add(duint start, duint end, bool manual, duint instructionCount = 0);
20 | SCRIPT_EXPORT bool Add(const ArgumentInfo* info);
21 | SCRIPT_EXPORT bool Get(duint addr, duint* start = nullptr, duint* end = nullptr, duint* instructionCount = nullptr);
22 | SCRIPT_EXPORT bool GetInfo(duint addr, ArgumentInfo* info);
23 | SCRIPT_EXPORT bool Overlaps(duint start, duint end);
24 | SCRIPT_EXPORT bool Delete(duint address);
25 | SCRIPT_EXPORT void DeleteRange(duint start, duint end, bool deleteManual = false);
26 | SCRIPT_EXPORT void Clear();
27 | SCRIPT_EXPORT bool GetList(ListOf(ArgumentInfo) list); //caller has the responsibility to free the list
28 | }; //Argument
29 | }; //Script
30 |
31 | #endif //_SCRIPTAPI_ARGUMENT_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_assembler.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_ASSEMBLER_H
2 | #define _SCRIPTAPI_ASSEMBLER_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Assembler
9 | {
10 | SCRIPT_EXPORT bool Assemble(duint addr, unsigned char* dest, int* size, const char* instruction); //dest[16]
11 | SCRIPT_EXPORT bool AssembleEx(duint addr, unsigned char* dest, int* size, const char* instruction, char* error); //dest[16], error[MAX_ERROR_SIZE]
12 | SCRIPT_EXPORT bool AssembleMem(duint addr, const char* instruction);
13 | SCRIPT_EXPORT bool AssembleMemEx(duint addr, const char* instruction, int* size, char* error, bool fillnop); //error[MAX_ERROR_SIZE]
14 | }; //Assembler
15 | }; //Script
16 |
17 | #endif //_SCRIPTAPI_ASSEMBLER_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_bookmark.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_BOOKMARK_H
2 | #define _SCRIPTAPI_BOOKMARK_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Bookmark
9 | {
10 | struct BookmarkInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rva;
14 | bool manual;
15 | };
16 |
17 | SCRIPT_EXPORT bool Set(duint addr, bool manual = false);
18 | SCRIPT_EXPORT bool Set(const BookmarkInfo* info);
19 | SCRIPT_EXPORT bool Get(duint addr);
20 | SCRIPT_EXPORT bool GetInfo(duint addr, BookmarkInfo* info);
21 | SCRIPT_EXPORT bool Delete(duint addr);
22 | SCRIPT_EXPORT void DeleteRange(duint start, duint end);
23 | SCRIPT_EXPORT void Clear();
24 | SCRIPT_EXPORT bool GetList(ListOf(BookmarkInfo) list); //caller has the responsibility to free the list
25 | }; //Bookmark
26 | }; //Script
27 |
28 | #endif //_SCRIPTAPI_BOOKMARK_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_comment.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_COMMENT_H
2 | #define _SCRIPTAPI_COMMENT_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Comment
9 | {
10 | struct CommentInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rva;
14 | char text[MAX_LABEL_SIZE];
15 | bool manual;
16 | };
17 |
18 | SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false);
19 | SCRIPT_EXPORT bool Set(const CommentInfo* info);
20 | SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_COMMENT_SIZE]
21 | SCRIPT_EXPORT bool GetInfo(duint addr, CommentInfo* info);
22 | SCRIPT_EXPORT bool Delete(duint addr);
23 | SCRIPT_EXPORT void DeleteRange(duint start, duint end);
24 | SCRIPT_EXPORT void Clear();
25 | SCRIPT_EXPORT bool GetList(ListOf(CommentInfo) list); //caller has the responsibility to free the list
26 | }; //Comment
27 | }; //Script
28 |
29 | #endif //_SCRIPTAPI_COMMENT_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_debug.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_DEBUG_H
2 | #define _SCRIPTAPI_DEBUG_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Debug
9 | {
10 | enum HardwareType
11 | {
12 | HardwareAccess,
13 | HardwareWrite,
14 | HardwareExecute
15 | };
16 |
17 | SCRIPT_EXPORT void Wait();
18 | SCRIPT_EXPORT void Run();
19 | SCRIPT_EXPORT void Pause();
20 | SCRIPT_EXPORT void Stop();
21 | SCRIPT_EXPORT void StepIn();
22 | SCRIPT_EXPORT void StepOver();
23 | SCRIPT_EXPORT void StepOut();
24 | SCRIPT_EXPORT bool SetBreakpoint(duint address);
25 | SCRIPT_EXPORT bool DeleteBreakpoint(duint address);
26 | SCRIPT_EXPORT bool DisableBreakpoint(duint address);
27 | SCRIPT_EXPORT bool SetHardwareBreakpoint(duint address, HardwareType type = HardwareExecute);
28 | SCRIPT_EXPORT bool DeleteHardwareBreakpoint(duint address);
29 | }; //Debug
30 | }; //Script
31 |
32 | #endif //_SCRIPTAPI_DEBUG_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_flag.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_FLAG_H
2 | #define _SCRIPTAPI_FLAG_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Flag
9 | {
10 | enum FlagEnum
11 | {
12 | ZF,
13 | OF,
14 | CF,
15 | PF,
16 | SF,
17 | TF,
18 | AF,
19 | DF,
20 | IF
21 | };
22 |
23 | SCRIPT_EXPORT bool Get(FlagEnum flag);
24 | SCRIPT_EXPORT bool Set(FlagEnum flag, bool value);
25 |
26 | SCRIPT_EXPORT bool GetZF();
27 | SCRIPT_EXPORT bool SetZF(bool value);
28 | SCRIPT_EXPORT bool GetOF();
29 | SCRIPT_EXPORT bool SetOF(bool value);
30 | SCRIPT_EXPORT bool GetCF();
31 | SCRIPT_EXPORT bool SetCF(bool value);
32 | SCRIPT_EXPORT bool GetPF();
33 | SCRIPT_EXPORT bool SetPF(bool value);
34 | SCRIPT_EXPORT bool GetSF();
35 | SCRIPT_EXPORT bool SetSF(bool value);
36 | SCRIPT_EXPORT bool GetTF();
37 | SCRIPT_EXPORT bool SetTF(bool value);
38 | SCRIPT_EXPORT bool GetAF();
39 | SCRIPT_EXPORT bool SetAF(bool value);
40 | SCRIPT_EXPORT bool GetDF();
41 | SCRIPT_EXPORT bool SetDF(bool value);
42 | SCRIPT_EXPORT bool GetIF();
43 | SCRIPT_EXPORT bool SetIF(bool value);
44 | };
45 | };
46 |
47 | #endif //_SCRIPTAPI_FLAG_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_function.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_FUNCTION_H
2 | #define _SCRIPTAPI_FUNCTION_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Function
9 | {
10 | struct FunctionInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rvaStart;
14 | duint rvaEnd;
15 | bool manual;
16 | duint instructioncount;
17 | };
18 |
19 | SCRIPT_EXPORT bool Add(duint start, duint end, bool manual, duint instructionCount = 0);
20 | SCRIPT_EXPORT bool Add(const FunctionInfo* info);
21 | SCRIPT_EXPORT bool Get(duint addr, duint* start = nullptr, duint* end = nullptr, duint* instructionCount = nullptr);
22 | SCRIPT_EXPORT bool GetInfo(duint addr, FunctionInfo* info);
23 | SCRIPT_EXPORT bool Overlaps(duint start, duint end);
24 | SCRIPT_EXPORT bool Delete(duint address);
25 | SCRIPT_EXPORT void DeleteRange(duint start, duint end, bool deleteManual);
26 | SCRIPT_EXPORT void DeleteRange(duint start, duint end);
27 | SCRIPT_EXPORT void Clear();
28 | SCRIPT_EXPORT bool GetList(ListOf(FunctionInfo) list); //caller has the responsibility to free the list
29 | }; //Function
30 | }; //Script
31 |
32 | #endif //_SCRIPTAPI_FUNCTION_H
33 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_gui.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_GUI_H
2 | #define _SCRIPTAPI_GUI_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Gui
9 | {
10 | namespace Disassembly
11 | {
12 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end);
13 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end);
14 | SCRIPT_EXPORT duint SelectionGetStart();
15 | SCRIPT_EXPORT duint SelectionGetEnd();
16 | }; //Disassembly
17 |
18 | namespace Dump
19 | {
20 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end);
21 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end);
22 | SCRIPT_EXPORT duint SelectionGetStart();
23 | SCRIPT_EXPORT duint SelectionGetEnd();
24 | }; //Dump
25 |
26 | namespace Stack
27 | {
28 | SCRIPT_EXPORT bool SelectionGet(duint* start, duint* end);
29 | SCRIPT_EXPORT bool SelectionSet(duint start, duint end);
30 | SCRIPT_EXPORT duint SelectionGetStart();
31 | SCRIPT_EXPORT duint SelectionGetEnd();
32 | }; //Stack
33 |
34 | namespace Graph
35 | {
36 | SCRIPT_EXPORT duint SelectionGetStart();
37 | }; //Graph
38 |
39 | namespace MemMap
40 | {
41 | SCRIPT_EXPORT duint SelectionGetStart();
42 | }; //MemoryMap
43 |
44 | namespace SymMod
45 | {
46 | SCRIPT_EXPORT duint SelectionGetStart();
47 | }; //SymMod
48 | }; //Gui
49 |
50 | namespace Gui
51 | {
52 | enum Window
53 | {
54 | DisassemblyWindow,
55 | DumpWindow,
56 | StackWindow,
57 | GraphWindow,
58 | MemMapWindow,
59 | SymModWindow
60 | };
61 |
62 | SCRIPT_EXPORT bool SelectionGet(Window window, duint* start, duint* end);
63 | SCRIPT_EXPORT bool SelectionSet(Window window, duint start, duint end);
64 | SCRIPT_EXPORT duint SelectionGetStart(Window window);
65 | SCRIPT_EXPORT duint SelectionGetEnd(Window window);
66 | SCRIPT_EXPORT void Message(const char* message);
67 | SCRIPT_EXPORT bool MessageYesNo(const char* message);
68 | SCRIPT_EXPORT bool InputLine(const char* title, char* text); //text[GUI_MAX_LINE_SIZE]
69 | SCRIPT_EXPORT bool InputValue(const char* title, duint* value);
70 | SCRIPT_EXPORT void Refresh();
71 | SCRIPT_EXPORT void AddQWidgetTab(void* qWidget);
72 | SCRIPT_EXPORT void ShowQWidgetTab(void* qWidget);
73 | SCRIPT_EXPORT void CloseQWidgetTab(void* qWidget);
74 |
75 | }; //Gui
76 | }; //Script
77 |
78 | #endif //_SCRIPTAPI_GUI_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_label.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_LABEL_H
2 | #define _SCRIPTAPI_LABEL_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Label
9 | {
10 | struct LabelInfo
11 | {
12 | char mod[MAX_MODULE_SIZE];
13 | duint rva;
14 | char text[MAX_LABEL_SIZE];
15 | bool manual;
16 | };
17 |
18 | SCRIPT_EXPORT bool Set(duint addr, const char* text, bool manual = false);
19 | SCRIPT_EXPORT bool Set(const LabelInfo* info);
20 | SCRIPT_EXPORT bool FromString(const char* label, duint* addr);
21 | SCRIPT_EXPORT bool Get(duint addr, char* text); //text[MAX_LABEL_SIZE]
22 | SCRIPT_EXPORT bool GetInfo(duint addr, LabelInfo* info);
23 | SCRIPT_EXPORT bool Delete(duint addr);
24 | SCRIPT_EXPORT void DeleteRange(duint start, duint end);
25 | SCRIPT_EXPORT void Clear();
26 | SCRIPT_EXPORT bool GetList(ListOf(LabelInfo) list); //caller has the responsibility to free the list
27 | }; //Label
28 | }; //Script
29 |
30 | #endif //_SCRIPTAPI_LABEL_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_memory.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_MEMORY_H
2 | #define _SCRIPTAPI_MEMORY_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Memory
9 | {
10 | SCRIPT_EXPORT bool Read(duint addr, void* data, duint size, duint* sizeRead);
11 | SCRIPT_EXPORT bool Write(duint addr, const void* data, duint size, duint* sizeWritten);
12 | SCRIPT_EXPORT bool IsValidPtr(duint addr);
13 | SCRIPT_EXPORT duint RemoteAlloc(duint addr, duint size);
14 | SCRIPT_EXPORT bool RemoteFree(duint addr);
15 | SCRIPT_EXPORT unsigned int GetProtect(duint addr, bool reserved = false, bool cache = true);
16 | SCRIPT_EXPORT duint GetBase(duint addr, bool reserved = false, bool cache = true);
17 | SCRIPT_EXPORT duint GetSize(duint addr, bool reserved = false, bool cache = true);
18 |
19 | SCRIPT_EXPORT unsigned char ReadByte(duint addr);
20 | SCRIPT_EXPORT bool WriteByte(duint addr, unsigned char data);
21 | SCRIPT_EXPORT unsigned short ReadWord(duint addr);
22 | SCRIPT_EXPORT bool WriteWord(duint addr, unsigned short data);
23 | SCRIPT_EXPORT unsigned int ReadDword(duint addr);
24 | SCRIPT_EXPORT bool WriteDword(duint addr, unsigned int data);
25 | SCRIPT_EXPORT unsigned long long ReadQword(duint addr);
26 | SCRIPT_EXPORT bool WriteQword(duint addr, unsigned long long data);
27 | SCRIPT_EXPORT duint ReadPtr(duint addr);
28 | SCRIPT_EXPORT bool WritePtr(duint addr, duint data);
29 | }; //Memory
30 | }; //Script
31 |
32 | #endif //_SCRIPTAPI_MEMORY_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_misc.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_MISC_H
2 | #define _SCRIPTAPI_MISC_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Misc
9 | {
10 | ///
11 | /// Evaluates an expression and returns the result. Analagous to using the Command field in x64dbg.
12 | ///
13 | /// Expressions can consist of memory locations, registers, flags, API names, labels, symbols, variables etc.
14 | ///
15 | /// Example: bool success = ParseExpression("[esp+8]", &val)
16 | ///
17 | /// The expression to evaluate.
18 | /// The result of the expression.
19 | /// True on success, False on failure.
20 | SCRIPT_EXPORT bool ParseExpression(const char* expression, duint* value);
21 |
22 | ///
23 | /// Returns the address of a function in the debuggee's memory space.
24 | ///
25 | /// Example: duint addr = RemoteGetProcAddress("kernel32.dll", "GetProcAddress")
26 | ///
27 | /// The name of the module.
28 | /// The name of the function.
29 | /// The address of the function in the debuggee.
30 | SCRIPT_EXPORT duint RemoteGetProcAddress(const char* module, const char* api);
31 |
32 | ///
33 | /// Returns the address for a label created in the disassembly window.
34 | ///
35 | /// Example: duint addr = ResolveLabel("sneaky_crypto")
36 | ///
37 | /// The name of the label to resolve.
38 | /// The memory address for the label.
39 | SCRIPT_EXPORT duint ResolveLabel(const char* label);
40 |
41 | ///
42 | /// Allocates the requested number of bytes from x64dbg's default process heap.
43 | ///
44 | /// Note: this allocation is in the debugger, not the debuggee.
45 | ///
46 | /// Memory allocated using this function should be Free'd after use.
47 | ///
48 | /// Example: void* addr = Alloc(0x100000)
49 | ///
50 | /// Number of bytes to allocate.
51 | /// A pointer to the newly allocated memory.
52 | SCRIPT_EXPORT void* Alloc(duint size);
53 |
54 | ///
55 | /// Frees memory previously allocated by Alloc.
56 | ///
57 | /// Example: Free(addr)
58 | ///
59 | /// Pointer returned by Alloc.
60 | /// Nothing.
61 | SCRIPT_EXPORT void Free(void* ptr);
62 | }; //Misc
63 | }; //Script
64 |
65 | #endif //_SCRIPTAPI_MISC_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_module.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_MODULE_H
2 | #define _SCRIPTAPI_MODULE_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Module
9 | {
10 | struct ModuleInfo
11 | {
12 | duint base;
13 | duint size;
14 | duint entry;
15 | int sectionCount;
16 | char name[MAX_MODULE_SIZE];
17 | char path[MAX_PATH];
18 | };
19 |
20 | struct ModuleSectionInfo
21 | {
22 | duint addr;
23 | duint size;
24 | char name[MAX_SECTION_SIZE * 5];
25 | };
26 |
27 | struct ModuleExport
28 | {
29 | duint ordinal;
30 | duint rva;
31 | duint va;
32 | bool forwarded;
33 | char forwardName[MAX_STRING_SIZE];
34 | char name[MAX_STRING_SIZE];
35 | char undecoratedName[MAX_STRING_SIZE];
36 | };
37 |
38 | struct ModuleImport
39 | {
40 | duint iatRva;
41 | duint iatVa;
42 | duint ordinal; //equal to -1 if imported by name
43 | char name[MAX_STRING_SIZE];
44 | char undecoratedName[MAX_STRING_SIZE];
45 | };
46 |
47 | SCRIPT_EXPORT bool InfoFromAddr(duint addr, ModuleInfo* info);
48 | SCRIPT_EXPORT bool InfoFromName(const char* name, ModuleInfo* info);
49 | SCRIPT_EXPORT duint BaseFromAddr(duint addr);
50 | SCRIPT_EXPORT duint BaseFromName(const char* name);
51 | SCRIPT_EXPORT duint SizeFromAddr(duint addr);
52 | SCRIPT_EXPORT duint SizeFromName(const char* name);
53 | SCRIPT_EXPORT bool NameFromAddr(duint addr, char* name); //name[MAX_MODULE_SIZE]
54 | SCRIPT_EXPORT bool PathFromAddr(duint addr, char* path); //path[MAX_PATH]
55 | SCRIPT_EXPORT bool PathFromName(const char* name, char* path); //path[MAX_PATH]
56 | SCRIPT_EXPORT duint EntryFromAddr(duint addr);
57 | SCRIPT_EXPORT duint EntryFromName(const char* name);
58 | SCRIPT_EXPORT int SectionCountFromAddr(duint addr);
59 | SCRIPT_EXPORT int SectionCountFromName(const char* name);
60 | SCRIPT_EXPORT bool SectionFromAddr(duint addr, int number, ModuleSectionInfo* section);
61 | SCRIPT_EXPORT bool SectionFromName(const char* name, int number, ModuleSectionInfo* section);
62 | SCRIPT_EXPORT bool SectionListFromAddr(duint addr, ListOf(ModuleSectionInfo) list);
63 | SCRIPT_EXPORT bool SectionListFromName(const char* name, ListOf(ModuleSectionInfo) list);
64 | SCRIPT_EXPORT bool GetMainModuleInfo(ModuleInfo* info);
65 | SCRIPT_EXPORT duint GetMainModuleBase();
66 | SCRIPT_EXPORT duint GetMainModuleSize();
67 | SCRIPT_EXPORT duint GetMainModuleEntry();
68 | SCRIPT_EXPORT int GetMainModuleSectionCount();
69 | SCRIPT_EXPORT bool GetMainModuleName(char* name); //name[MAX_MODULE_SIZE]
70 | SCRIPT_EXPORT bool GetMainModulePath(char* path); //path[MAX_PATH]
71 | SCRIPT_EXPORT bool GetMainModuleSectionList(ListOf(ModuleSectionInfo) list); //caller has the responsibility to free the list
72 | SCRIPT_EXPORT bool GetList(ListOf(ModuleInfo) list); //caller has the responsibility to free the list
73 | SCRIPT_EXPORT bool GetExports(const ModuleInfo* mod, ListOf(ModuleExport) list); //caller has the responsibility to free the list
74 | SCRIPT_EXPORT bool GetImports(const ModuleInfo* mod, ListOf(ModuleImport) list); //caller has the responsibility to free the list
75 | }; //Module
76 | }; //Script
77 |
78 | #endif //_SCRIPTAPI_MODULE_H
79 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_pattern.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_PATTERN_H
2 | #define _SCRIPTAPI_PATTERN_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Pattern
9 | {
10 | SCRIPT_EXPORT duint Find(unsigned char* data, duint datasize, const char* pattern);
11 | SCRIPT_EXPORT duint FindMem(duint start, duint size, const char* pattern);
12 | SCRIPT_EXPORT void Write(unsigned char* data, duint datasize, const char* pattern);
13 | SCRIPT_EXPORT void WriteMem(duint start, duint size, const char* pattern);
14 | SCRIPT_EXPORT bool SearchAndReplace(unsigned char* data, duint datasize, const char* searchpattern, const char* replacepattern);
15 | SCRIPT_EXPORT bool SearchAndReplaceMem(duint start, duint size, const char* searchpattern, const char* replacepattern);
16 | };
17 | };
18 |
19 | #endif //_SCRIPTAPI_FIND_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_stack.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_STACK_H
2 | #define _SCRIPTAPI_STACK_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Stack
9 | {
10 | SCRIPT_EXPORT duint Pop();
11 | SCRIPT_EXPORT duint Push(duint value); //returns the previous top, equal to Peek(1)
12 | SCRIPT_EXPORT duint Peek(int offset = 0); //offset is in multiples of Register::Size(), for easy x32/x64 portability
13 | }; //Stack
14 | }; //Script
15 |
16 | #endif //_SCRIPTAPI_STACK_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/_scriptapi_symbol.h:
--------------------------------------------------------------------------------
1 | #ifndef _SCRIPTAPI_SYMBOL_H
2 | #define _SCRIPTAPI_SYMBOL_H
3 |
4 | #include "_scriptapi.h"
5 |
6 | namespace Script
7 | {
8 | namespace Symbol
9 | {
10 | enum SymbolType
11 | {
12 | Function, //user-defined function
13 | Import, //IAT entry
14 | Export //export
15 | };
16 |
17 | struct SymbolInfo
18 | {
19 | char mod[MAX_MODULE_SIZE];
20 | duint rva;
21 | char name[MAX_LABEL_SIZE];
22 | bool manual;
23 | SymbolType type;
24 | };
25 |
26 | SCRIPT_EXPORT bool GetList(ListOf(SymbolInfo) list); //caller has the responsibility to free the list
27 | }; //Symbol
28 | }; //Script
29 |
30 | #endif //_SCRIPTAPI_SYMBOL_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/dbghelp/dbghelp_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/dbghelp/dbghelp_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/dbghelp/dbghelp_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/dbghelp/dbghelp_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/dbghelp/dbghelp_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/dbghelp/dbghelp_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/dbghelp/dbghelp_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/dbghelp/dbghelp_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_config.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright (c) 2010-2016 Petri Lehtinen
3 | *
4 | * Jansson is free software; you can redistribute it and/or modify
5 | * it under the terms of the MIT license. See LICENSE for details.
6 | *
7 | *
8 | * This file specifies a part of the site-specific configuration for
9 | * Jansson, namely those things that affect the public API in
10 | * jansson.h.
11 | *
12 | * The CMake system will generate the jansson_config.h file and
13 | * copy it to the build and install directories.
14 | */
15 |
16 | #ifndef JANSSON_CONFIG_H
17 | #define JANSSON_CONFIG_H
18 |
19 | /* Define this so that we can disable scattered automake configuration in source files */
20 | #ifndef JANSSON_USING_CMAKE
21 | #define JANSSON_USING_CMAKE
22 | #endif
23 |
24 | /* Note: when using cmake, JSON_INTEGER_IS_LONG_LONG is not defined nor used,
25 | * as we will also check for __int64 etc types.
26 | * (the definition was used in the automake system) */
27 |
28 | /* Bring in the cmake-detected defines */
29 | #define HAVE_STDINT_H 1
30 | /* #undef HAVE_INTTYPES_H */
31 | /* #undef HAVE_SYS_TYPES_H */
32 |
33 | /* Include our standard type header for the integer typedef */
34 |
35 | #if defined(HAVE_STDINT_H)
36 | # include
37 | #elif defined(HAVE_INTTYPES_H)
38 | # include
39 | #elif defined(HAVE_SYS_TYPES_H)
40 | # include
41 | #endif
42 |
43 |
44 | /* If your compiler supports the inline keyword in C, JSON_INLINE is
45 | defined to `inline', otherwise empty. In C++, the inline is always
46 | supported. */
47 | #ifdef __cplusplus
48 | #define JSON_INLINE inline
49 | #else
50 | #define JSON_INLINE __inline
51 | #endif
52 |
53 |
54 | #define json_int_t long long
55 | #define json_strtoint strtoll
56 | #define JSON_INTEGER_FORMAT "I64d"
57 |
58 |
59 | /* If locale.h and localeconv() are available, define to 1, otherwise to 0. */
60 | #define JSON_HAVE_LOCALECONV 1
61 |
62 |
63 | /* Maximum recursion depth for parsing JSON input.
64 | This limits the depth of e.g. array-within-array constructions. */
65 | #define JSON_PARSER_MAX_DEPTH 2048
66 |
67 |
68 | #endif
69 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/jansson/jansson_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/jansson/jansson_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x64dbg.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include "jansson.h"
4 |
5 | typedef json_t* JSON;
6 |
7 | static JSON_INLINE
8 | json_t* json_hex(unsigned json_int_t value)
9 | {
10 | char hexvalue[20];
11 | sprintf_s(hexvalue, "0x%llX", value);
12 | return json_string(hexvalue);
13 | }
14 |
15 | static JSON_INLINE
16 | unsigned json_int_t json_hex_value(const json_t* hex)
17 | {
18 | unsigned json_int_t ret = 0;
19 | const char* hexvalue;
20 | hexvalue = json_string_value(hex);
21 | if(!hexvalue)
22 | return 0;
23 | sscanf_s(hexvalue, "0x%llX", &ret);
24 | return ret;
25 | }
26 |
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/jansson/jansson_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/jansson/jansson_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/jansson/jansson_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4_x64.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/lz4/lz4_x64.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4_x64.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/lz4/lz4_x64.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4_x86.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/lz4/lz4_x86.a
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4_x86.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/lz4/lz4_x86.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/lz4/lz4file.h:
--------------------------------------------------------------------------------
1 | #ifndef _LZ4FILE_H
2 | #define _LZ4FILE_H
3 |
4 | typedef enum _LZ4_STATUS
5 | {
6 | LZ4_SUCCESS,
7 | LZ4_FAILED_OPEN_INPUT,
8 | LZ4_FAILED_OPEN_OUTPUT,
9 | LZ4_NOT_ENOUGH_MEMORY,
10 | LZ4_INVALID_ARCHIVE,
11 | LZ4_CORRUPTED_ARCHIVE
12 | } LZ4_STATUS;
13 |
14 | #if defined (__cplusplus)
15 | extern "C"
16 | {
17 | #endif
18 |
19 | __declspec(dllimport) LZ4_STATUS LZ4_compress_file(const char* input_filename, const char* output_filename);
20 | __declspec(dllimport) LZ4_STATUS LZ4_compress_fileW(const wchar_t* input_filename, const wchar_t* output_filename);
21 | __declspec(dllimport) LZ4_STATUS LZ4_decompress_file(const char* input_filename, const char* output_filename);
22 | __declspec(dllimport) LZ4_STATUS LZ4_decompress_fileW(const wchar_t* input_filename, const wchar_t* output_filename);
23 |
24 | #if defined (__cplusplus)
25 | }
26 | #endif
27 |
28 | #endif //_LZ4FILE_H
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/x32bridge.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/x32bridge.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/x32dbg.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/x32dbg.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/x64bridge.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/x64bridge.lib
--------------------------------------------------------------------------------
/HyperHide/pluginsdk/x64dbg.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/pluginsdk/x64dbg.lib
--------------------------------------------------------------------------------
/HyperHide/resource.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/resource.aps
--------------------------------------------------------------------------------
/HyperHide/resource.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define DLG_MAIN 100
4 | #define IDB_ICON 101
5 | #define IDC_CHK_NTQUERYINFORMATIONPROCESS 1000
6 | #define IDC_CHK_NTQUERYSYSTEMINFORMATION 1001
7 | #define IDC_CHK_NTQUERYINFORMATIONTHREAD 1002
8 | #define IDC_CHK_NTQUERYINFORMATIONJOBOBJECT 1003
9 | #define IDC_CHK_NTQUERYOBJECT 1004
10 | #define IDC_CHK_NTQUERYSYSTEMTIME 1005
11 | #define IDC_CHK_NTQUERYPERFORMANCECOUNTER 1006
12 | #define IDC_CHK_NTCREATEUSERPROCESS 1007
13 | #define IDC_CHK_NTCREATEPROCESSEX 1008
14 | #define IDC_CHK_NTCREATETHREADEX 1009
15 | #define IDC_CHK_NTSETCONTEXTTHREAD 1010
16 | #define IDC_CHK_NTGETCONTEXTTHREAD 1011
17 | #define IDC_CHK_NTOPENPROCESS 1012
18 | #define IDC_CHK_NTOPENTHREAD 1013
19 | #define IDC_CHK_NTSETINFORMATIONTHREAD 1014
20 | #define IDC_CHK_NTSYSTEMDEBUGCONTROL 1015
21 | #define IDC_CHK_NTGETNEXTPROCESS 1016
22 | #define IDC_CHK_NTYIELDEXECUTION 1017
23 | #define IDC_CHK_NTCREATEFILE 1018
24 | #define IDC_CHK_NTCONTINUE 1019
25 | #define IDC_CHK_NTCLOSE 1020
26 | #define IDC_CHK_NTUSERBUILDHWNDLIST 1021
27 | #define IDC_CHK_NTUSERFINDWINDOWEX 1022
28 | #define IDC_CHK_NTUSERQUERYWINDOW 1023
29 | #define IDC_CHK_NTUSERGETFOREGROUNDWINDOW 1024
30 | #define IDC_CHK_KUSER_SHARED_DATA 1025
31 | #define IDC_CHK_KIEXCEPTIONDISPATCH 1026
32 | #define IDC_CHK_NTSETINFORMATIONPROCESS 1027
33 | #define IDC_CHK_CLEARPEBBEINGDEBUGGED 1028
34 | #define IDC_CHK_CLEARPEBNTGLOBALFLAG 1029
35 | #define IDC_CHK_CLEARHEAPFLAGS 1030
36 | #define IDC_CHK_CLEARKUSERSHAREDDATA 1031
37 | #define IDC_CHK_CLEARHIDEFROMDEBUGGER 1032
38 | #define IDC_CHK_CLEARBYPASSFREEZEFLAG 1033
39 | #define IDC_CHK_CLEARPROCESSBREAKONTERM 1034
40 | #define IDC_CHK_CLEARTHREADBREAKONTERM 1035
41 | #define IDC_CHK_SAVEPROCESSDEBUGFLAGS 1036
42 | #define IDC_CHK_SAVEPROCESSHANDLETRACING 1037
43 | #define IDC_CHK_SELECT_ALL 1038
44 | #define IDC_COB_CURRENTPROFILE 2000
45 | #define IDC_BTN_OK 3000
46 | #define IDC_BTN_CREATENEWPROFILE 3001
47 | #define IDC_TXT_COPYRIGHT 4000
48 | #define IDC_TXT_CURRENT 4001
49 |
--------------------------------------------------------------------------------
/HyperHide/resource.rc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHide/resource.rc
--------------------------------------------------------------------------------
/HyperHideDrv/ActiveProcessDbgList.c:
--------------------------------------------------------------------------------
1 | #include "ntddk.h"
2 | typedef struct _DbgPortList{
3 | LIST_ENTRY PortList;
4 | ULONG64 DbgPort;
5 | UINT8 markdbg;
6 | PEPROCESS Process;
7 | }DbgPortList, *PDbgPortList;
8 | static LIST_ENTRY PortList ;
9 | static KSPIN_LOCK Port_lock = NULL;
10 | VOID InitDbgPortList(){
11 |
12 | InitializeListHead(&PortList);
13 | KeInitializeSpinLock(&Port_lock);
14 |
15 | }
16 | PDbgPortList Port_FindProcessList(PEPROCESS Process ,ULONG64 DbgPort){
17 | KIRQL OldIrql;
18 | PLIST_ENTRY Entry;
19 | DbgPortList *TempItem = NULL;
20 | DbgPortList* DFind = NULL;
21 | KeAcquireSpinLock(&Port_lock, &OldIrql);
22 | Entry = PortList.Flink;
23 | while (Entry != &PortList)
24 | {
25 | TempItem = CONTAINING_RECORD(Entry, DbgPortList, PortList);
26 | Entry = Entry->Flink;
27 | if (Process!=NULL)
28 | {
29 | //DbgPrint("Port_FindProcessList TempItem->Process:%p Process:%p\n", TempItem->Process, Process);
30 | if (TempItem->Process == Process)
31 | {
32 | //DbgPrint("Port_FindProcessList ok\n");
33 | DFind = TempItem;
34 | break;
35 | }
36 | }
37 |
38 | if (DbgPort != NULL)
39 | {
40 | if (TempItem->DbgPort == DbgPort)
41 | {
42 | DFind = TempItem;
43 | break;
44 | }
45 | }
46 | }
47 | KeReleaseSpinLock(&Port_lock, OldIrql);
48 | return DFind;
49 | }
50 |
51 | PDbgPortList Port_AddProcessToList(PEPROCESS Process,ULONG64 DbgPort){
52 | PDbgPortList TempItem;
53 | TempItem = (PDbgPortList)ExAllocatePoolWithTag(NonPagedPool, sizeof(DbgPortList), 'prrp');
54 | if (!TempItem)
55 | {
56 | return FALSE;
57 | }
58 |
59 | RtlZeroMemory(TempItem, sizeof(DbgPortList));
60 | TempItem->Process = Process;
61 | TempItem->DbgPort = DbgPort;
62 | TempItem->markdbg = FALSE;
63 | ExInterlockedInsertTailList(&PortList, &TempItem->PortList, &Port_lock);
64 | if (TempItem != NULL)
65 | {
66 |
67 | return TempItem;
68 | }
69 |
70 | return FALSE;
71 | }
72 | BOOLEAN Port_SetPort(PEPROCESS Process, ULONG64 DbgPort){
73 | PDbgPortList Temp = NULL;
74 | Temp=Port_AddProcessToList(Process, DbgPort);
75 | if (Temp != NULL){
76 |
77 |
78 | return TRUE;
79 | }
80 | return FALSE;
81 | }
82 | BOOLEAN Port_IsPort(PEPROCESS Process){
83 | PDbgPortList Temp = NULL;
84 | Temp=Port_FindProcessList(Process, NULL);
85 | if (Temp!=NULL)
86 | {
87 | if (Temp->DbgPort != NULL && Temp->Process == Process){
88 |
89 | return TRUE;
90 | }
91 | }
92 | return FALSE;
93 | }
94 | ULONG64 Port_GetPort(PEPROCESS Process){
95 | PDbgPortList Temp = NULL;
96 | Temp = Port_FindProcessList(Process, NULL);
97 | if (Temp != NULL)
98 | {
99 | DbgPrint("Port_GetPort:Temp != NULL\n");
100 | if (Temp->DbgPort != NULL && Temp->Process == Process){
101 |
102 | DbgPrint("Port_GetPort:%p ok\n", Temp->DbgPort);
103 | return Temp->DbgPort;
104 | }
105 | }
106 | return FALSE;
107 | }
108 | VOID NTAPI Port_ExFreeItem(PDbgPortList Item)
109 | {
110 | DbgPrint("Port_ExFreeItem:%p\n", Item);
111 | KIRQL OldIrql;
112 | KeAcquireSpinLock(&Port_lock, &OldIrql);
113 | RemoveEntryList(&Item->PortList);
114 | KeReleaseSpinLock(&Port_lock, OldIrql);
115 | ExFreePool(Item);
116 | return;
117 | }
118 |
119 | BOOLEAN Port_RemoveDbgItem(PEPROCESS Process, ULONG64 DbgPort){
120 |
121 | PDbgPortList Temp = NULL;
122 | Temp = Port_FindProcessList(Process, DbgPort);
123 | if (Temp != NULL)
124 | {
125 | if (Process!=NULL)
126 | {
127 | if (Temp->Process == Process){
128 | Port_ExFreeItem(Temp);
129 | return TRUE;
130 | }
131 | }
132 |
133 | if (DbgPort != NULL)
134 | {
135 | if (Temp->DbgPort == DbgPort){
136 | Port_ExFreeItem(Temp);
137 | return TRUE;
138 | }
139 | }
140 | }
141 | return FALSE;
142 |
143 | }
144 |
--------------------------------------------------------------------------------
/HyperHideDrv/ActiveProcessDbgList.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | typedef struct _DbgPortList{
4 | LIST_ENTRY PortList;
5 | ULONG64 DbgPort;
6 | UINT8 markdbg;
7 | PEPROCESS Process;
8 | }DbgPortList, *PDbgPortList;
9 | VOID InitDbgPortList();
10 | PDbgPortList Port_FindProcessList(PEPROCESS Process, ULONG64 DbgPort);
11 | PDbgPortList Port_AddProcessToList(PEPROCESS Process, ULONG64 DbgPort);
12 | VOID NTAPI Port_ExFreeItem(PDbgPortList Item);
13 | BOOLEAN Port_SetPort(PEPROCESS Process, ULONG64 DbgPort);
14 | BOOLEAN Port_IsPort(PEPROCESS Process);
15 | ULONG64 Port_GetPort(PEPROCESS Process);
16 | BOOLEAN Port_RemoveDbgItem(PEPROCESS Process, ULONG64 DbgPort);
--------------------------------------------------------------------------------
/HyperHideDrv/CFunction.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/CFunction.cpp
--------------------------------------------------------------------------------
/HyperHideDrv/CFunction.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/CFunction.h
--------------------------------------------------------------------------------
/HyperHideDrv/CKernelDbg.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/CKernelDbg.cpp
--------------------------------------------------------------------------------
/HyperHideDrv/CKernelDbg.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "Header.h"
3 |
4 | typedef struct _SYMBOLS_DATA
5 | {
6 | PVOID DbgkExitThread;
7 | PVOID DbgkClearProcessDebugObject;
8 | PVOID DbgkSendSystemDllMessages;
9 | PVOID PspExitThread;
10 | PVOID PspTerminateAllThreads;
11 | PVOID PspProcessDelete;
12 | PULONG PspNotifyEnableMask;
13 | PVOID DbgkExitProcess;
14 | PVOID DbgkpPostFakeThreadMessages;
15 | PVOID DbgkpPostFakeProcessCreateMessages;
16 | PVOID PsCallImageNotifyRoutines;
17 | PVOID ObFastReferenceObjectLocked;
18 | PVOID ObFastReferenceObject;
19 | PVOID ObFastDereferenceObject;
20 | PVOID DbgkpSendApiMessageLpc;
21 | PVOID DbgkpSendErrorMessage;
22 | PVOID DbgkpQueueMessage;
23 | PVOID DdbgkpSuspendProcess;
24 | PVOID KiDispatchException;
25 | PVOID DbgkForwardException;
26 | PVOID DbgkMapViewOfSection;
27 | PVOID DbgkCreateThread;
28 | PVOID DbgkUnMapViewOfSection;
29 | PVOID DbgkCopyProcessDebugPort;
30 | PVOID DbgkOpenProcessDebugPort;
31 | PVOID DbgkpSetProcessDebugObject;
32 | PVOID DbgkpMarkProcessPeb;
33 | PVOID PsSuspendThread;
34 | PVOID PsResumeThread;
35 | PVOID KeResumeThread;
36 | PVOID PsSynchronizeWithThreadInsertion;
37 | PVOID DbgkpPostModuleMessages;
38 | PVOID DbgkpFreeDebugEvent;
39 | PVOID DbgkpWakeTarget;
40 | PVOID ObDuplicateObject;
41 | PVOID KiCheckForKernelApcDelivery;
42 | PVOID PsQuerySystemDllInfo;
43 | //PVOID ExAcquireRundownProtection_0;
44 | PVOID PsGetNextProcessThread;
45 | PVOID KeFreezeAllThreads;
46 | PVOID KeThawAllThreads;
47 | PVOID PsThawProcess;
48 | PVOID PsFreezeProcess;
49 | PVOID ZwFlushInstructionCache;
50 |
51 |
52 | //////
53 | PVOID PspActiveProcessLock;
54 | PVOID ExfAcquirePushLockExclusive;
55 | PVOID ExfTryToWakePushLock;
56 | PVOID PspRemoveProcessFromJob;
57 | PVOID PspDeleteLdt;
58 | PVOID PsReturnProcessNonPagedPoolQuota;
59 | PVOID AlpcpCleanupProcessViews;
60 | PVOID ObDereferenceDeviceMap;
61 | PVOID PspDereferenceQuotaBlock;
62 | PVOID PsReturnProcessPagedPoolQuota;
63 | PVOID ExDestroyHandle;
64 | PVOID MmCleanProcessAddressSpace;
65 | PVOID MmDeleteProcessAddressSpace;
66 | PVOID MmGetFileNameForSection;
67 | PVOID PspCidTable;
68 | PVOID ObFastReplaceObject;
69 | PVOID LpcRequestWaitReplyPortEx;
70 | PVOID PsTestProtectedProcessIncompatibility;
71 | PVOID PsRequestDebugSecureProcess;
72 | }SYMBOLS_DATA, * PSYMBOLS_DATA;
73 |
74 |
75 | class CKernelDbg
76 | {
77 | public:
78 |
79 |
80 | BOOLEAN StartKernelDbg();
81 | void StopKernelDbg();
82 |
83 |
84 |
85 |
86 | private:
87 | BOOLEAN IniteKernelDbg();
88 |
89 |
90 | };
91 |
92 |
--------------------------------------------------------------------------------
/HyperHideDrv/CKernelTable.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/CKernelTable.cpp
--------------------------------------------------------------------------------
/HyperHideDrv/CKernelTable.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "Header.h"
3 |
4 | class CKernelTable
5 | {
6 | public:
7 | CKernelTable();
8 | ~CKernelTable();
9 |
10 | PVOID GetAddressFromIndex(
11 | ULONG Index);
12 | BOOLEAN GetIndexFromName(
13 | IN CHAR* FunctionName,
14 | OUT PUINT32 Index);
15 | BOOLEAN GetFunctionNameFromIndex(
16 | OUT CHAR* FunctionName,
17 | IN UINT32 Index
18 | );
19 | BOOLEAN GetOldAddressFromIndex(
20 | OUT PVOID* OldFunctionAddress,
21 | IN UINT32 Index,
22 | IN PVOID NewImageBass);
23 | PVOID CKernelTable::GetShadowAddressFromIndex(
24 | ULONG Index);
25 | BOOLEAN GetShadowOldAddressFromIndex(
26 | OUT PVOID* OldFunctionAddress,
27 | UINT32 Index,
28 | IN PVOID NewImageBass,
29 | IN PVOID OldBass);
30 | PVOID GetAddressFromName(CHAR* FunctionName);
31 | private:
32 | PVOID FindKeServiceDescriptorTable64(
33 | PUCHAR StartSearchAddress,
34 | PUCHAR EndSearchAddress);
35 | PServiceDescriptorTableEntry_t GetKeServiceDescriptorTable();
36 | PServiceDescriptorTableEntry_t GetKeServiceDescriptorTableShadow();
37 | };
38 |
39 |
--------------------------------------------------------------------------------
/HyperHideDrv/CPeModule.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/CPeModule.cpp
--------------------------------------------------------------------------------
/HyperHideDrv/CPeModule.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/CPeModule.h
--------------------------------------------------------------------------------
/HyperHideDrv/DBGTOOL.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/DBGTOOL.c
--------------------------------------------------------------------------------
/HyperHideDrv/DRRWE.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | //typedef LONG DWORD;
4 | typedef struct _THREAD_dr_List{
5 | LIST_ENTRY TList;
6 | DWORD Dr0;
7 | DWORD Dr1;
8 | DWORD Dr2;
9 | DWORD Dr3;
10 | DWORD Dr6;
11 | DWORD Dr7;
12 | DWORD eflag;
13 | PETHREAD Thread;
14 |
15 | }THREAD_dr_List, *PTHREAD_dr_List;
16 |
17 | #define HIDWORD(a) ((DWORD)((UINT64)(a) >> 32))
18 | #define LODWORD(a) ((DWORD)((UINT64)(a)& 0x0000ffff))
19 | typedef struct _PROCESS_List{
20 | LIST_ENTRY PorcessList;
21 | PEPROCESS Process;
22 | KSPIN_LOCK loacl_lock;
23 | LIST_ENTRY ThreadList;
24 | }PROCESS_List, *PPROCESS_List;
25 | EXTERN_C VOID InitListAndLock();
26 | PPROCESS_List Dr_FindProcessList(PEPROCESS Process);
27 | PPROCESS_List Dr_AddProcessToList(PEPROCESS Process);
28 | VOID NTAPI Dr_ExFreeItem(PPROCESS_List Item);
29 | PTHREAD_dr_List Dr_AddThreadStructToList(PPROCESS_List DrRwListItem, PTHREAD_dr_List Struct);
30 | VOID NTAPI Dr_ExFreeTheadListItem(PPROCESS_List DrRwListItem, PTHREAD_dr_List Struct);
31 | PTHREAD_dr_List Dr_FindThreadContextByThreadList(PPROCESS_List DrRwListItem, PETHREAD Thread);
32 | PTHREAD_dr_List Dr_UpdataThreadContextByThreadList(PPROCESS_List DrRwListItem, PETHREAD Thread, PTHREAD_dr_List UpData);
33 |
--------------------------------------------------------------------------------
/HyperHideDrv/DbgIsMyProcess.c:
--------------------------------------------------------------------------------
1 | #include "ntddk.h"
2 |
3 | typedef struct _DbgProcess
4 | {
5 | LIST_ENTRY64 DbgProcessList;
6 | PEPROCESS DebugProcess;
7 | PEPROCESS Process;
8 | POBJECT_TYPE DebugObject;
9 | HANDLE DbgHanle;
10 | }DbgProcess, *PDbgProcess;
11 |
12 | static LIST_ENTRY64 DbgList;
13 | static KSPIN_LOCK d_lock;
14 |
15 | VOID InitialzeDbgprocessList(){
16 |
17 | KeInitializeSpinLock(&d_lock);
18 | InitializeListHead(&DbgList);
19 | }
20 |
21 |
22 | PDbgProcess Debug_AddStructToList(PDbgProcess DbgStruct){
23 | PDbgProcess pstruct = NULL;
24 | if (MmIsAddressValid(DbgStruct)==TRUE)
25 | {
26 | pstruct = (PDbgProcess)ExAllocatePoolWithTag(NonPagedPool, sizeof(DbgProcess), "dbx");
27 |
28 | if (!pstruct)
29 | {
30 | return FALSE;
31 | }
32 | RtlZeroMemory(pstruct, sizeof(DbgProcess));
33 |
34 | pstruct->DbgHanle = DbgStruct->DbgHanle;
35 | pstruct->DebugObject = DbgStruct->DebugObject;
36 | pstruct->DebugProcess = DbgStruct->DebugProcess;
37 | pstruct->Process = DbgStruct->Process;
38 | ExInterlockedInsertTailList(&DbgList, &pstruct->DbgProcessList, &d_lock);
39 | return pstruct;
40 | }
41 | return FALSE;
42 |
43 |
44 | }
45 |
46 | VOID NTAPI Debug_ExFreeItem(PDbgProcess Item)
47 | {
48 | KIRQL OldIrql;
49 | KeAcquireSpinLock(&d_lock, &OldIrql);
50 | RemoveEntryList(&Item->DbgProcessList);
51 | KeReleaseSpinLock(&d_lock, OldIrql);
52 | ExFreePool(Item);
53 | return;
54 |
55 |
56 | }
57 |
58 | PDbgProcess Debug_FindMyNeedData(PDbgProcess DbgStruct){
59 | DbgProcess*Temp = NULL;
60 | DbgProcess*RetFind = NULL;
61 | KIRQL irql;
62 | PLIST_ENTRY64 Entry = NULL;
63 | if (MmIsAddressValid(DbgStruct)==TRUE)
64 | {
65 | KeAcquireSpinLock(&d_lock, &irql);
66 | Entry = DbgList.Flink;
67 | while (Entry != &DbgList){
68 | Temp = CONTAINING_RECORD(Entry, DbgProcess, DbgProcessList);
69 | Entry= Entry->Flink;
70 | if (Temp->DbgHanle==DbgStruct->DbgHanle)
71 | {
72 | RetFind = Temp;
73 | break;
74 | }
75 | if (Temp->DebugObject == DbgStruct->DebugObject)
76 | {
77 | RetFind = Temp;
78 | break;
79 | }
80 | if (Temp->DebugProcess == DbgStruct->DebugProcess)
81 | {
82 | RetFind = Temp;
83 | break;
84 | }
85 | if (Temp->Process == DbgStruct->Process)
86 | {
87 | RetFind = Temp;
88 | break;
89 | }
90 |
91 | }
92 |
93 |
94 | KeReleaseSpinLock(&d_lock, irql);
95 | }
96 | return RetFind;
97 |
98 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Dispatcher.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/Dispatcher.cpp
--------------------------------------------------------------------------------
/HyperHideDrv/Dispatcher.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | NTSTATUS DrvIOCTLDispatcher(_In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp);
--------------------------------------------------------------------------------
/HyperHideDrv/Driver.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 |
3 | #include
4 | #include "Log.h"
5 | #include "Utils.h"
6 | #include "HookedFunctions.h"
7 | #include "GlobalData.h"
8 | #include "HypervisorGateway.h"
9 | #include "Dispatcher.h"
10 | #include "Notifiers.h"
11 | #include "Ssdt.h"
12 | #include "Ntapi.h"
13 | #include
14 | #include "dbgtool.h"
15 |
16 | HYPER_HIDE_GLOBAL_DATA g_HyperHide = { 0 };
17 | SYSTEM_DATA g_SystemData = { 0 };
18 |
19 |
20 | VOID DrvUnload(PDRIVER_OBJECT DriverObject)
21 | {
22 | Hider::Uninitialize();
23 |
24 | LARGE_INTEGER WaitTime;
25 | WaitTime.QuadPart = -1000000LL; // 100ms
26 | KeDelayExecutionThread(KernelMode, FALSE, &WaitTime);
27 |
28 | PsRemoveCreateThreadNotifyRoutine(ThreadNotifyRoutine);
29 | PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutine, TRUE);
30 |
31 | hv::unhook_all_functions();
32 |
33 | KeDelayExecutionThread(KernelMode, FALSE, &WaitTime);
34 |
35 | UNICODE_STRING DosDeviceName;
36 | RtlInitUnicodeString(&DosDeviceName, L"\\DosDevices\\HyperDbg");
37 | IoDeleteSymbolicLink(&DosDeviceName);
38 |
39 | IoDeleteDevice(DriverObject->DeviceObject);
40 |
41 | LogInfo("Driver Unloaded");
42 | }
43 |
44 | NTSTATUS DrvClose(_In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp)
45 | {
46 | UNREFERENCED_PARAMETER(DeviceObject);
47 | Irp->IoStatus.Status = STATUS_SUCCESS;
48 |
49 | if (Hider::RemoveEntry(IoGetCurrentProcess()) == FALSE)
50 | Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
51 |
52 | Irp->IoStatus.Information = 0;
53 |
54 | IoCompleteRequest(Irp, IO_NO_INCREMENT);
55 |
56 | return STATUS_SUCCESS;
57 | }
58 |
59 | NTSTATUS DrvCreate(_In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp)
60 | {
61 | UNREFERENCED_PARAMETER(DeviceObject);
62 |
63 | Irp->IoStatus.Status = STATUS_SUCCESS;
64 | Irp->IoStatus.Information = 0;
65 |
66 | IoCompleteRequest(Irp, IO_NO_INCREMENT);
67 |
68 | return STATUS_SUCCESS;
69 | }
70 |
71 | extern "C"
72 | NTSTATUS DriverEntry(PDRIVER_OBJECT Driver, PCUNICODE_STRING Reg)
73 | {
74 | UNREFERENCED_PARAMETER(Reg);
75 |
76 | PDEVICE_OBJECT DeviceObject;
77 | UNICODE_STRING DriverName, DosDeviceName;
78 | OSVERSIONINFOW OsVersion;
79 |
80 | RtlGetVersion(&OsVersion);
81 | g_HyperHide.CurrentWindowsBuildNumber = OsVersion.dwBuildNumber;
82 |
83 | __try
84 | {
85 | if (hv::test_vmcall() == FALSE)
86 | return STATUS_UNSUCCESSFUL;
87 | }
88 | __except (EXCEPTION_EXECUTE_HANDLER)
89 | {
90 | return STATUS_UNSUCCESSFUL;
91 | }
92 |
93 | LogInfo("HyperVisor On");
94 |
95 | if (GetOffsets() == FALSE)
96 | return STATUS_UNSUCCESSFUL;
97 |
98 | LogInfo("Got offsets");
99 |
100 | if (SSDT::FindCodeCaves() == FALSE)
101 | return STATUS_UNSUCCESSFUL;
102 |
103 | LogInfo("Got code caves");
104 |
105 | if (SSDT::GetSsdt() == FALSE)
106 | return STATUS_UNSUCCESSFUL;
107 |
108 | LogInfo("Got Ssdt");
109 |
110 | if (Hider::Initialize() == FALSE)
111 | return STATUS_UNSUCCESSFUL;
112 |
113 | LogInfo("Hider Initialized");
114 |
115 | if(NT_SUCCESS(PsSetCreateThreadNotifyRoutine(ThreadNotifyRoutine)) == FALSE)
116 | {
117 | Hider::Uninitialize();
118 | return STATUS_UNSUCCESSFUL;
119 | }
120 |
121 | LogInfo("PsSetCreateThreadNotifyRoutine succeded");
122 |
123 | if (NT_SUCCESS(PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutine, FALSE)) == FALSE)
124 | {
125 | Hider::Uninitialize();
126 | PsRemoveCreateThreadNotifyRoutine(ThreadNotifyRoutine);
127 | return STATUS_UNSUCCESSFUL;
128 | }
129 |
130 | LogInfo("PsSetCreateProcessNotifyRoutine succeded");
131 |
132 | if(HookSyscalls() == FALSE)
133 | {
134 | hv::unhook_all_functions();
135 | PsRemoveCreateThreadNotifyRoutine(ThreadNotifyRoutine);
136 | PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutine, TRUE);
137 | Hider::Uninitialize();
138 | return STATUS_UNSUCCESSFUL;
139 | }
140 |
141 | LogInfo("Syscalls Hooked");
142 |
143 | RtlInitUnicodeString(&DriverName, L"\\Device\\HyperDbg");
144 | RtlInitUnicodeString(&DosDeviceName, L"\\DosDevices\\HyperDbg");
145 |
146 | IoCreateDevice(Driver, 0, &DriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &DeviceObject);
147 |
148 | Driver->MajorFunction[IRP_MJ_CLOSE] = DrvClose;
149 | Driver->MajorFunction[IRP_MJ_CREATE] = DrvCreate;
150 | Driver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvIOCTLDispatcher;
151 |
152 | Driver->DriverUnload = DrvUnload;
153 | Driver->Flags |= DO_BUFFERED_IO;
154 |
155 | IoCreateSymbolicLink(&DosDeviceName, &DriverName);
156 |
157 | LogInfo("Driver initialized");
158 |
159 | return STATUS_SUCCESS;
160 | }
--------------------------------------------------------------------------------
/HyperHideDrv/GlobalData.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/GlobalData.h
--------------------------------------------------------------------------------
/HyperHideDrv/Header.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/Header.h
--------------------------------------------------------------------------------
/HyperHideDrv/Heap.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201 4100 4101 4244 4333 4245 4366)
2 | //#include
3 | #include
4 | #include "Ntapi.h"
5 | #include "Log.h"
6 | #include "Heap.h"
7 | #include "Peb.h"
8 |
9 | #define HEAP_SKIP_VALIDATION_CHECKS 0x10000000
10 | #define HEAP_VALIDATE_PARAMETERS_ENABLED 0x40000000
11 |
12 | BOOLEAN ClearHeapFlags(PEPROCESS TargetProcess)
13 | {
14 | PPEB Peb = (PPEB)PsGetProcessPeb(TargetProcess);
15 | PPEB32 Peb32 = (PPEB32)PsGetProcessWow64Process(TargetProcess);
16 |
17 | // https://ctf-wiki.github.io/ctf-wiki/reverse/windows/anti-debug/heap-flags/
18 | // In all versions of Windows, the value of the Flags
19 | // field is normally set to HEAP_GROWABLE(2),
20 | // and the ForceFlags field is normally set to 0
21 |
22 | // 32-bit process.Both of these default values depend on the[subsystem] of its host process
23 | if (Peb32 != NULL)
24 | {
25 | KAPC_STATE State;
26 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
27 |
28 | __try
29 | {
30 | for (size_t i = 0; i < Peb32->NumberOfHeaps; i++)
31 | {
32 | ULONG Heap = *(ULONG*)(Peb32->ProcessHeaps + 4 * i);
33 |
34 | // Heap Flags
35 | *(ULONG*)(Heap + 0x40) &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_SKIP_VALIDATION_CHECKS | HEAP_VALIDATE_PARAMETERS_ENABLED);
36 |
37 | // Heap Force Flags
38 | *(ULONG*)(Heap + 0x44) &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_VALIDATE_PARAMETERS_ENABLED);
39 | }
40 | }
41 | __except (EXCEPTION_EXECUTE_HANDLER)
42 | {
43 | LogError("Access violation");
44 | KeUnstackDetachProcess(&State);
45 | return FALSE;
46 | }
47 |
48 | KeUnstackDetachProcess(&State);
49 | }
50 |
51 | if (Peb != NULL)
52 | {
53 | KAPC_STATE State;
54 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
55 |
56 | __try
57 | {
58 | for (size_t i = 0; i < Peb->NumberOfHeaps; i++)
59 | {
60 | PHEAP Heap = (PHEAP)Peb->ProcessHeaps;
61 | Heap->Flags &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_SKIP_VALIDATION_CHECKS | HEAP_VALIDATE_PARAMETERS_ENABLED);
62 | Heap->ForceFlags &= ~(HEAP_TAIL_CHECKING_ENABLED | HEAP_FREE_CHECKING_ENABLED | HEAP_VALIDATE_PARAMETERS_ENABLED);
63 | }
64 | }
65 | __except (EXCEPTION_EXECUTE_HANDLER)
66 | {
67 | LogError("Access violation");
68 | KeUnstackDetachProcess(&State);
69 | return FALSE;
70 | }
71 |
72 | KeUnstackDetachProcess(&State);
73 | }
74 | else
75 | {
76 | LogError("Both Peb and Peb32 doesn't exist");
77 | return FALSE;
78 | }
79 |
80 | return TRUE;
81 | }
--------------------------------------------------------------------------------
/HyperHideDrv/HookHelper.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "Ntstructs.h"
4 |
5 | typedef struct _NT_SYSCALL_NUMBERS
6 | {
7 | SHORT NtSetInformationThread;
8 | SHORT NtQueryInformationProcess;
9 | SHORT NtQueryObject;
10 | SHORT NtSystemDebugControl;
11 | SHORT NtSetContextThread;
12 | SHORT NtQuerySystemInformation;
13 | SHORT NtGetContextThread;
14 | SHORT NtClose;
15 | SHORT NtQueryInformationThread;
16 | SHORT NtCreateThreadEx;
17 | SHORT NtCreateFile;
18 | SHORT NtCreateProcessEx;
19 | SHORT NtYieldExecution;
20 | SHORT NtQuerySystemTime;
21 | SHORT NtQueryPerformanceCounter;
22 | SHORT NtContinue;
23 | SHORT NtQueryInformationJobObject;
24 | SHORT NtCreateUserProcess;
25 | SHORT NtGetNextProcess;
26 | SHORT NtOpenProcess;
27 | SHORT NtOpenThread;
28 | SHORT NtSetInformationProcess;
29 | SHORT NtDebugActiveProcess;
30 | SHORT NtCreateDebugObject;
31 | SHORT NtRemoveProcessDebug;
32 | SHORT NtWaitForDebugEvent;
33 | SHORT NtDebugContinue;
34 | SHORT NtReadVirtualMemory;
35 | SHORT NtWriteVirtualMemory;
36 |
37 | }NT_SYSCALL_NUMBERS;
38 |
39 | typedef struct _WIN32K_SYSCALL_NUMBERS
40 | {
41 | SHORT NtUserFindWindowEx;
42 | SHORT NtUserBuildHwndList;
43 | SHORT NtUserQueryWindow;
44 | SHORT NtUserGetForegroundWindow;
45 | SHORT NtUserGetThreadState;
46 | SHORT NtUserGetClassName;
47 | SHORT NtUserInternalGetWindowText;
48 |
49 | }WIN32K_SYSCALL_NUMBERS;
50 |
51 | VOID GetNtSyscallNumbers(NT_SYSCALL_NUMBERS& SyscallNumbers);
52 |
53 | VOID GetWin32kSyscallNumbers(WIN32K_SYSCALL_NUMBERS& SyscallNumbers);
54 |
55 | BOOLEAN IsWindowBad(HANDLE hWnd);
56 |
57 | VOID FilterProcesses(PSYSTEM_PROCESS_INFO ProcessInfo);
58 |
59 | VOID FilterHandlesEx(PSYSTEM_HANDLE_INFORMATION_EX HandleInfoEx);
60 |
61 | VOID FilterHandles(PSYSTEM_HANDLE_INFORMATION HandleInfo);
62 |
63 | BOOLEAN HookKiDispatchException(PVOID HookedKiDispatchException, PVOID* OriginalKiDispatchException);;
--------------------------------------------------------------------------------
/HyperHideDrv/HookedFunctions.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | #define ObjectTypesInformation 3
5 | #define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x40
6 | #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x4
7 | #define PROCESS_DEBUG_INHERIT 0x00000001 // default for a non-debugged process
8 | #define PROCESS_NO_DEBUG_INHERIT 0x00000002 // default for a debugged process
9 | #define PROCESS_QUERY_INFORMATION 0x0400
10 | #define INVALID_HANDLE_VALUE ((HANDLE)(LONG_PTR)-1)
11 |
12 | #define BACKUP_RETURNLENGTH() \
13 | ULONG TempReturnLength = 0; \
14 | if(ARGUMENT_PRESENT(ReturnLength)) \
15 | TempReturnLength = *ReturnLength
16 |
17 | #define RESTORE_RETURNLENGTH() \
18 | if(ARGUMENT_PRESENT(ReturnLength)) \
19 | (*ReturnLength) = TempReturnLength
20 |
21 | BOOLEAN HookSyscalls();
--------------------------------------------------------------------------------
/HyperHideDrv/HyperHideDrv.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Off
5 |
6 |
7 | Off
8 |
9 |
--------------------------------------------------------------------------------
/HyperHideDrv/HypervisorGateway.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | namespace hv
4 | {
5 | bool hook_function(void* target_address, void* hook_function, void* trampoline, void** origin_function);
6 |
7 | bool hook_function(void* target_address, void* hook_function, void** origin_function);
8 |
9 | void hypervisor_visible(bool value);
10 |
11 | bool test_vmcall();
12 |
13 | bool unhook_all_functions();
14 |
15 | bool unhook_function(unsigned __int64 function_address);
16 |
17 | bool send_irp_perform_allocation();
18 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Ioctl.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #ifndef _NTIFS_H
4 | #define _NTIFS_H
5 | #include
6 | #endif // !_NTIFS_H
7 |
8 |
9 | #define IOCTL_ADD_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x900, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
10 | #define IOCTL_CLEAR_PEB_DEBUGGER_FLAG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x901, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
11 | #define IOCTL_SET_PEB_DEBUGGER_FLAG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x902, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
12 | #define IOCTL_HIDE_FROM_SYSCALL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x903, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
13 | #define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x904, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
14 | #define IOCTL_REMOVE_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x905, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
15 | #define IOCTL_PROCESS_STOPPED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x906, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
16 | #define IOCTL_PROCESS_RESUMED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x907, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
17 | #define IOCTL_SET_HYPERVISOR_VISIBILITY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x908, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
--------------------------------------------------------------------------------
/HyperHideDrv/KernelApi.cpp:
--------------------------------------------------------------------------------
1 | #include "KernelApi.h"
2 | typedef PETHREAD(_fastcall* PSGETNEXTPROCESSTHREAD)(
3 | IN PEPROCESS Process,
4 | IN PETHREAD Thread
5 | );PSGETNEXTPROCESSTHREAD m_PsGetNextProcessThread = 0;
6 | typedef NTSTATUS(_stdcall* NTOPENDIRECTORYOBJECT)(
7 | __out PHANDLE DirectoryHandle,
8 | __in ACCESS_MASK DesiredAccess,
9 | __in POBJECT_ATTRIBUTES ObjectAttributes); NTOPENDIRECTORYOBJECT m_NtOpenDirectoryObject = 0;
10 |
11 |
12 | PETHREAD myPsGetNextProcessThread
13 | (
14 | IN PEPROCESS Process,
15 | IN PETHREAD Thread)
16 | {
17 | if (!m_PsGetNextProcessThread)
18 | {
19 |
20 | PUCHAR p = (PUCHAR)GetKernelAddress("PsResumeProcess");
21 | #ifdef _WIN64
22 | /* nt!PsResumeProcess + 0x64:
23 | fffff800`042b8c64 488bce mov rcx, rsi
24 | fffff800`042b8c67 e8ac7bbeff call nt!KeResumeThread(fffff800`03ea0818)
25 | fffff800`042b8c6c 488bd6 mov rdx, rsi
26 | fffff800`042b8c6f 488bcd mov rcx, rbp
27 | fffff800`042b8c72 e869f2eaff call nt!PsGetNextProcessThread(fffff800`04167ee0)*/
28 |
29 | if (!p)
30 | {
31 | return 0;
32 | }
33 |
34 | for (size_t i = 0; i < 0x100; i++)
35 | {
36 | if (*(p + 1) == 0x8b &&
37 | *(p + 2) == 0xd6 &&
38 | *(p + 4) == 0x8b &&
39 | *(p + 5) == 0xcd &&
40 | *(p + 6) == 0xe8)
41 | {
42 | INT offset = *(INT*)(p + 7);
43 | m_PsGetNextProcessThread=(PSGETNEXTPROCESSTHREAD)(offset + (INT_PTR)p + 11);
44 | }
45 | p++;
46 | }
47 | #else
48 | if (g_SystemData.WinVersion == 7601)
49 | {
50 | /*nt!PsResumeProcess + 0x4c:
51 | 84117820 8b4508 mov eax, dword ptr[ebp + 8]
52 | 84117823 e8c059f5ff call nt!PsGetNextProcessThread(8406d1e8)
53 | 84117828 8bd8 mov ebx, eax
54 | 8411782a 85db test ebx, ebx
55 | 8411782c 75ea jne nt!PsResumeProcess + 0x44 (84117818) Branch*/
56 |
57 | TZM tzm[5] = { {0xe8,0},{0x8b,-3},{0x45,-2},{0x08,-1} ,{0x8b,5} };
58 | m_PsGetNextProcessThread=(PSGETNEXTPROCESSTHREAD)FindMemory(p, 0x100, CMemroy::Call, tzm);
59 | }
60 | #endif // _WIN64
61 | if (!m_PsGetNextProcessThread)
62 | {
63 | DbgPrint("Call PsGetNextProcessThread eeor\n");
64 | return 0;
65 | }
66 | }
67 |
68 | #ifdef _WIN64
69 | return m_PsGetNextProcessThread(Process, Thread);
70 | #else
71 | PETHREAD j_Thread;
72 | _asm
73 | {
74 | push Thread
75 | mov eax, Process
76 | call g_SystemData.PsGetNextProcessThread
77 | mov j_Thread, eax
78 | }
79 | return j_Thread;
80 | #endif // _WIN64
81 |
82 | }
83 |
84 | NTSTATUS NtOpenDirectoryObject
85 | (
86 | __out PHANDLE DirectoryHandle,
87 | __in ACCESS_MASK DesiredAccess,
88 | __in POBJECT_ATTRIBUTES ObjectAttributes)
89 | {
90 |
91 | if (!m_NtOpenDirectoryObject)
92 | {
93 | CKernelTable SSDT;
94 | m_NtOpenDirectoryObject =(NTOPENDIRECTORYOBJECT)SSDT.GetAddressFromName("NtOpenDirectoryObject");
95 | if (!m_NtOpenDirectoryObject)
96 | {
97 | DbgPrint("Call NtOpenDirectoryObject eeor\n");
98 | return STATUS_UNSUCCESSFUL;
99 | }
100 | }
101 | return m_NtOpenDirectoryObject(DirectoryHandle, DesiredAccess, ObjectAttributes);
102 | }
103 |
104 |
--------------------------------------------------------------------------------
/HyperHideDrv/KernelApi.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "Header.h"
3 |
4 | //PETHREAD PsGetNextProcessThread(
5 | // IN PEPROCESS Process,
6 | // IN PETHREAD Thread
7 | //);
8 |
9 | NTSTATUS NtOpenDirectoryObject(
10 | __out PHANDLE DirectoryHandle,
11 | __in ACCESS_MASK DesiredAccess,
12 | __in POBJECT_ATTRIBUTES ObjectAttributes
13 | );
14 |
15 |
--------------------------------------------------------------------------------
/HyperHideDrv/KernelDbgStruct.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/KernelDbgStruct.h
--------------------------------------------------------------------------------
/HyperHideDrv/KernelExportAPI.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/KernelExportAPI.h
--------------------------------------------------------------------------------
/HyperHideDrv/KernelStruct.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include
4 | #include
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/HyperHideDrv/KernelStruct1.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/KernelStruct1.h
--------------------------------------------------------------------------------
/HyperHideDrv/KuserSharedData.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | typedef struct _MMPFN
4 | {
5 | union
6 | {
7 | LIST_ENTRY ListEntry; //0x0
8 | RTL_BALANCED_NODE TreeNode; //0x0
9 | struct
10 | {
11 | union
12 | {
13 | SINGLE_LIST_ENTRY NextSlistPfn; //0x0
14 | VOID* Next; //0x0
15 | ULONGLONG Flink : 36; //0x0
16 | ULONGLONG NodeFlinkHigh : 28; //0x0
17 | ULONGLONG Active; //0x0
18 | } u1; //0x0
19 | union
20 | {
21 | ULONGLONG* PteAddress; //0x8
22 | ULONGLONG PteLong; //0x8
23 | };
24 | ULONGLONG OriginalPte; //0x10
25 | };
26 | };
27 | ULONGLONG u2; //0x18
28 | union
29 | {
30 | struct
31 | {
32 | USHORT ReferenceCount; //0x20
33 | UCHAR e1; //0x22
34 | };
35 | struct
36 | {
37 | UCHAR e3; //0x23
38 | struct
39 | {
40 | USHORT ReferenceCount; //0x20
41 | } e2; //0x20
42 | };
43 | struct
44 | {
45 | ULONG EntireField; //0x20
46 | } e4; //0x20
47 | } u3; //0x20
48 | USHORT NodeBlinkLow; //0x24
49 | UCHAR Unused : 4; //0x26
50 | UCHAR Unused2 : 4; //0x26
51 | union
52 | {
53 | UCHAR ViewCount; //0x27
54 | UCHAR NodeFlinkLow; //0x27
55 | };
56 | union
57 | {
58 | ULONGLONG PteFrame : 36; //0x28
59 | ULONGLONG Channel : 2; //0x28
60 | ULONGLONG Unused1 : 1; //0x28
61 | ULONGLONG Unused2 : 1; //0x28
62 | ULONGLONG Partition : 10; //0x28
63 | ULONGLONG Spare : 2; //0x28
64 | ULONGLONG FileOnly : 1; //0x28
65 | ULONGLONG PfnExists : 1; //0x28
66 | ULONGLONG PageIdentity : 3; //0x28
67 | ULONGLONG PrototypePte : 1; //0x28
68 | ULONGLONG PageColor : 6; //0x28
69 | ULONGLONG EntireField; //0x28
70 | } u4; //0x28
71 | }MMPFN,*PMMPFN;
72 |
73 | VOID HookKuserSharedData(Hider::PHIDDEN_PROCESS HiddenProcess);
74 |
75 | VOID UnHookKuserSharedData(Hider::PHIDDEN_PROCESS HiddenProcess);
76 |
77 | VOID GetBegin(PEPROCESS DebuggedProcess);
78 |
79 | VOID UpdateDelta(PEPROCESS DebuggedProcess);
80 |
81 | VOID CounterUpdater(PVOID Context);
82 |
83 | BOOLEAN GetPfnDatabase();
--------------------------------------------------------------------------------
/HyperHideDrv/Log.cpp:
--------------------------------------------------------------------------------
1 | #define _NO_CRT_STDIO_INLINE
2 | #include
3 | #include
4 | #include
5 | #include "Log.h"
6 |
7 | void LogPrint(log_type Type, const char* fmt, ...)
8 | {
9 | char* LogType;
10 | LARGE_INTEGER SystemTime;
11 | LARGE_INTEGER LocalTime;
12 | TIME_FIELDS TimeFields;
13 | char TimeBuffer[20] = {};
14 | char MessageBuffer[412] = {};
15 | char OutputBuffer[512] = {};
16 | va_list Args = {};
17 |
18 | switch (Type)
19 | {
20 | case LOG_TYPE_DEBUG:
21 | {
22 | LogType = "[DEBUG]";
23 | break;
24 | }
25 | case LOG_TYPE_DUMP:
26 | {
27 | LogType = "[DUMP]";
28 | break;
29 | }
30 | case LOG_TYPE_ERROR:
31 | {
32 | LogType = "[ERROR]";
33 | break;
34 | }
35 | case LOG_TYPE_INFO:
36 | {
37 | LogType = "[INFORMATION]";
38 | break;
39 | }
40 | default:
41 | {
42 | LogType = "[UNKNOWN]";
43 | break;
44 | }
45 |
46 | }
47 |
48 | KeQuerySystemTime(&SystemTime);
49 | ExSystemTimeToLocalTime(&SystemTime, &LocalTime);
50 | RtlTimeToTimeFields(&LocalTime, &TimeFields);
51 |
52 | RtlStringCchPrintfA(
53 | TimeBuffer,
54 | sizeof(TimeBuffer),
55 | "[%02hd:%02hd:%02hd.%03hd]",
56 | TimeFields.Hour,
57 | TimeFields.Minute,
58 | TimeFields.Second,
59 | TimeFields.Milliseconds);
60 |
61 | va_start(Args, fmt);
62 | RtlStringCchVPrintfA(MessageBuffer, sizeof(MessageBuffer), fmt, Args);
63 | va_end(Args);
64 |
65 | char* OutputFormat = "%s %s %s\r\n";
66 |
67 | RtlStringCchPrintfA(
68 | OutputBuffer,
69 | sizeof(OutputBuffer),
70 | OutputFormat,
71 | TimeBuffer,
72 | LogType,
73 | MessageBuffer);
74 |
75 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "%s", OutputBuffer);
76 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Log.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define LogError(format, ...) \
3 | LogPrint(LOG_TYPE_ERROR," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
4 | #define LogDebug(format, ...) \
5 | LogPrint(LOG_TYPE_DEBUG," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
6 | #define LogDump(format, ...) \
7 | LogPrint(LOG_TYPE_DUMP," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
8 | #define LogInfo(format, ...) \
9 | LogPrint(LOG_TYPE_INFO," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
10 |
11 | typedef enum __log_type
12 | {
13 | LOG_TYPE_DEBUG,
14 | LOG_TYPE_ERROR,
15 | LOG_TYPE_DUMP,
16 | LOG_TYPE_INFO
17 | }log_type;
18 |
19 | void LogPrint(log_type type, const char* fmt, ...);
--------------------------------------------------------------------------------
/HyperHideDrv/Memroy.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/Memroy.cpp
--------------------------------------------------------------------------------
/HyperHideDrv/Memroy.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/Memroy.h
--------------------------------------------------------------------------------
/HyperHideDrv/Notifiers.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | //#include
3 | #include "Hider.h"
4 | #include "Utils.h"
5 | #include "Ntapi.h"
6 | #include "Log.h"
7 | #include
8 |
9 | VOID ThreadNotifyRoutine(HANDLE ProcessId, HANDLE ThreadId, BOOLEAN Create)
10 | {
11 | if (Create == FALSE)
12 | {
13 | PETHREAD CurrentThread;
14 | if (NT_SUCCESS(PsLookupThreadByThreadId(ThreadId, &CurrentThread)) == TRUE)
15 | Hider::TruncateThreadList(PidToProcess(ProcessId), CurrentThread);
16 | }
17 | }
18 |
19 | VOID ProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
20 | {
21 | UNREFERENCED_PARAMETER(ParentId);
22 |
23 | if (Create == FALSE)
24 | Hider::RemoveEntry(PidToProcess(ProcessId));
25 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Notifiers.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | VOID ThreadNotifyRoutine(HANDLE ProcessId, HANDLE ThreadId, BOOLEAN Create);
5 |
6 | VOID ProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
--------------------------------------------------------------------------------
/HyperHideDrv/Ntapi.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | //#include
3 | #ifndef _NTIFS_H
4 | #define _NTIFS_H
5 | #include
6 | #endif // !_NTIFS_H
7 | #include "KernelDbgStruct.h"
8 | #include "Ntenums.h"
9 |
10 | extern "C"
11 | {
12 | VOID NTAPI KeGenericCallDpc
13 | (
14 | _In_ PKDEFERRED_ROUTINE Routine,
15 | _In_ PVOID Context
16 | );
17 |
18 | VOID NTAPI KeSignalCallDpcDone
19 | (
20 | _In_ PVOID SystemArgument1
21 | );
22 |
23 | BOOLEAN NTAPI KeSignalCallDpcSynchronize
24 | (
25 | _In_ PVOID SystemArgument2
26 | );
27 |
28 | //NTKERNELAPI VOID KeStackAttachProcess
29 | //(
30 | // _Inout_ PRKPROCESS PROCESS,
31 | // _Out_ PRKAPC_STATE ApcState
32 | //);
33 |
34 | //NTKERNELAPI VOID KeUnstackDetachProcess
35 | //(
36 | // _In_ PRKAPC_STATE ApcState
37 | //);
38 |
39 | NTKERNELAPI NTSTATUS NTAPI ZwQuerySystemInformation
40 | (
41 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
42 | OUT PVOID SystemInformation,
43 | IN ULONG SystemInformationLength,
44 | OUT PULONG ReturnLength OPTIONAL
45 | );
46 |
47 | NTSTATUS NTAPI MmCopyVirtualMemory
48 | (
49 | PEPROCESS SourceProcess,
50 | PVOID SourceAddress,
51 | PEPROCESS TargetProcess,
52 | PVOID TargetAddress,
53 | SIZE_T BufferSize,
54 | KPROCESSOR_MODE PreviousMode,
55 | PSIZE_T ReturnSize
56 | );
57 |
58 | NTKERNELAPI PVOID NTAPI PsGetProcessWow64Process
59 | (
60 | IN PEPROCESS Process
61 | );
62 |
63 | NTKERNELAPI PPEB NTAPI PsGetProcessPeb
64 | (
65 | IN PEPROCESS Process
66 | );
67 |
68 | NTSYSAPI NTSTATUS NTAPI ObReferenceObjectByName
69 | (
70 | PUNICODE_STRING ObjectName,
71 | ULONG Attributes,
72 | PACCESS_STATE AccessState,
73 | ACCESS_MASK DesiredAccess,
74 | POBJECT_TYPE ObjectType,
75 | KPROCESSOR_MODE AccessMode,
76 | PVOID ParseContext OPTIONAL,
77 | PVOID* Object
78 | );
79 |
80 | NTSYSAPI UCHAR* NTAPI PsGetProcessImageFileName(PEPROCESS Process);
81 |
82 | NTSYSAPI NTSTATUS NTAPI ZwQueryInformationJobObject(
83 | HANDLE JobHandle,
84 | JOBOBJECTINFOCLASS JobInformationClass,
85 | PVOID JobInformation,
86 | ULONG JobInformationLength,
87 | PULONG ReturnLength
88 | );
89 |
90 | NTSTATUS NTAPI ZwQueryInformationProcess(
91 | HANDLE ProcessHandle,
92 | PROCESSINFOCLASS ProcessInformationClass,
93 | PVOID ProcessInformation,
94 | ULONG ProcessInformationLength,
95 | PULONG ReturnLength
96 | );
97 |
98 | BOOLEAN NTAPI ObFindHandleForObject(
99 | __in PEPROCESS Process,
100 | __in_opt PVOID Object OPTIONAL,
101 | __in_opt POBJECT_TYPE ObjectType OPTIONAL,
102 | __in_opt POBJECT_HANDLE_INFORMATION HandleInformation,
103 | __out PHANDLE Handle
104 | );
105 |
106 | NTSTATUS NTAPI ZwSetInformationProcess(
107 | HANDLE ProcessHandle,
108 | PROCESSINFOCLASS ProcessInformationClass,
109 | PVOID ProcessInformation,
110 | ULONG ProcessInformationLength
111 | );
112 |
113 | BOOLEAN NTAPI PsIsProcessBeingDebugged(PEPROCESS Process);
114 |
115 | HANDLE NTAPI
116 | PsGetProcessInheritedFromUniqueProcessId(
117 | __in PEPROCESS Process
118 | );
119 |
120 | PVOID NTAPI PsGetCurrentProcessWow64Process();
121 |
122 | NTSTATUS
123 | PsGetContextThread(
124 | __in PETHREAD Thread,
125 | __inout PCONTEXT ThreadContext,
126 | __in KPROCESSOR_MODE Mode
127 | );
128 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Ntenums.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | typedef enum _PSCREATETHREADNOTIFYTYPE {
3 | PsCreateThreadNotifyNonSystem = 0,
4 | PsCreateThreadNotifySubsystems = 1
5 | } PSCREATETHREADNOTIFYTYPE;
6 |
7 | enum SYSDBG_COMMAND
8 | {
9 | SysDbgGetTriageDump = 29
10 | };
11 |
12 | enum JOBOBJECTINFOCLASS
13 | {
14 | JobObjectBasicAccountingInformation = 1,
15 | JobObjectBasicLimitInformation = 2,
16 | JobObjectBasicProcessIdList = 3,
17 | JobObjectBasicUIRestrictions = 4,
18 | JobObjectSecurityLimitInformation = 5,
19 | JobObjectEndOfJobTimeInformation = 6,
20 | JobObjectAssociateCompletionPortInformation = 7,
21 | JobObjectBasicAndIoAccountingInformation = 8,
22 | JobObjectExtendedLimitInformation = 9,
23 | JobObjectJobSetInformation = 10,
24 | JobObjectGroupInformation = 11,
25 | JobObjectNotificationLimitInformation = 12,
26 | JobObjectLimitViolationInformation = 13,
27 | JobObjectGroupInformationEx = 14,
28 | JobObjectCpuRateControlInformation = 15,
29 | JobObjectCompletionFilter = 16,
30 | JobObjectCompletionCounter = 17,
31 | JobObjectFreezeInformation = 18,
32 | JobObjectExtendedAccountingInformation = 19,
33 | JobObjectWakeInformation = 20,
34 | JobObjectBackgroundInformation = 21,
35 | JobObjectSchedulingRankBiasInformation = 22,
36 | JobObjectTimerVirtualizationInformation = 23,
37 | JobObjectCycleTimeNotification = 24,
38 | JobObjectClearEvent = 25,
39 | JobObjectReserved1Information = 18,
40 | JobObjectReserved2Information = 19,
41 | JobObjectReserved3Information = 20,
42 | JobObjectReserved4Information = 21,
43 | JobObjectReserved5Information = 22,
44 | JobObjectReserved6Information = 23,
45 | JobObjectReserved7Information = 24,
46 | JobObjectReserved8Information = 25,
47 | MaxJobObjectInfoClass = 26
48 | };
49 |
50 | typedef enum _WINDOWINFOCLASS {
51 | WindowProcess,
52 | WindowThread,
53 | WindowActiveWindow,
54 | WindowFocusWindow,
55 | WindowIsHung,
56 | WindowClientBase,
57 | WindowIsForegroundThread,
58 | } WINDOWINFOCLASS;
59 |
60 | typedef enum _THREAD_STATE_ROUTINE
61 | {
62 | THREADSTATE_GETTHREADINFO,
63 | THREADSTATE_ACTIVEWINDOW
64 | } THREAD_STATE_ROUTINE;
--------------------------------------------------------------------------------
/HyperHideDrv/Peb.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | //#include
3 | #include
4 | #include "Ntapi.h"
5 | #include "Log.h"
6 | #include "Peb.h"
7 |
8 | BOOLEAN SetPebDeuggerFlag(PEPROCESS TargetProcess, BOOLEAN Value)
9 | {
10 | PPEB Peb = PsGetProcessPeb(TargetProcess);
11 | PPEB32 Peb32 = (PPEB32)PsGetProcessWow64Process(TargetProcess);
12 | if (Peb32 != NULL)
13 | {
14 | KAPC_STATE State;
15 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
16 | __try
17 | {
18 | Peb32->BeingDebugged = Value;
19 |
20 | Peb->BeingDebugged = Value;
21 | }
22 | __except (EXCEPTION_EXECUTE_HANDLER)
23 | {
24 | LogError("Access Violation");
25 | KeUnstackDetachProcess(&State);
26 | return FALSE;
27 | }
28 |
29 | KeUnstackDetachProcess(&State);
30 | }
31 | else if (Peb != NULL)
32 | {
33 | KAPC_STATE State;
34 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
35 | __try
36 | {
37 | Peb->BeingDebugged = Value;
38 | }
39 | __except (EXCEPTION_EXECUTE_HANDLER)
40 | {
41 | LogError("Access Violation");
42 | KeUnstackDetachProcess(&State);
43 | return FALSE;
44 | }
45 | KeUnstackDetachProcess(&State);
46 | }
47 | else
48 | {
49 | LogError("Both pebs doesn't exist");
50 | return FALSE;
51 | }
52 |
53 | return TRUE;
54 | }
55 |
56 | BOOLEAN ClearPebNtGlobalFlag(PEPROCESS TargetProcess)
57 | {
58 | PPEB Peb = PsGetProcessPeb(TargetProcess);
59 | PPEB32 Peb32 = (PPEB32)PsGetProcessWow64Process(TargetProcess);
60 | if (Peb32 != NULL)
61 | {
62 | KAPC_STATE State;
63 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
64 | __try
65 | {
66 | Peb32->NtGlobalFlag &= ~0x70;
67 |
68 | Peb->NtGlobalFlag &= ~0x70;
69 | }
70 | __except (EXCEPTION_EXECUTE_HANDLER)
71 | {
72 | LogError("Access Violation");
73 | KeUnstackDetachProcess(&State);
74 | return FALSE;
75 | }
76 |
77 | KeUnstackDetachProcess(&State);
78 | }
79 | else if (Peb != NULL)
80 | {
81 | KAPC_STATE State;
82 | KeStackAttachProcess((PRKPROCESS)TargetProcess, &State);
83 | __try
84 | {
85 | Peb->NtGlobalFlag &= ~0x70;
86 | }
87 | __except (EXCEPTION_EXECUTE_HANDLER)
88 | {
89 | LogError("Access Violation");
90 | KeUnstackDetachProcess(&State);
91 | return FALSE;
92 | }
93 | KeUnstackDetachProcess(&State);
94 | }
95 | else
96 | {
97 | LogError("Both pebs doesn't exist");
98 | return FALSE;
99 | }
100 |
101 | return TRUE;
102 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Pte.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | union PTE {
3 | unsigned __int64 All;
4 | struct {
5 | unsigned __int64 Read : 1; // bit 0
6 | unsigned __int64 Write : 1; // bit 1
7 | unsigned __int64 Execute : 1; // bit 2
8 | unsigned __int64 EPTMemoryType : 3; // bit 5:3 (EPT Memory type)
9 | unsigned __int64 IgnorePAT : 1; // bit 6
10 | unsigned __int64 Ignored1 : 1; // bit 7
11 | unsigned __int64 AccessedFlag : 1; // bit 8
12 | unsigned __int64 DirtyFlag : 1; // bit 9
13 | unsigned __int64 ExecuteForUserMode : 1; // bit 10
14 | unsigned __int64 Ignored2 : 1; // bit 11
15 | unsigned __int64 PhysicalAddress : 36; // bit (N-1):12 or Page-Frame-Number
16 | unsigned __int64 Reserved : 4; // bit 51:N
17 | unsigned __int64 Ignored3 : 11; // bit 62:52
18 | unsigned __int64 SuppressVE : 1; // bit 63
19 | }Fields;
20 | };
--------------------------------------------------------------------------------
/HyperHideDrv/RWNoAttach.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | uint64_t OldAttach;
6 |
7 | uint64_t GetDirectoryTableBase(PEPROCESS Process)
8 | {
9 | return *(uint64_t*)(uint64_t(Process) + 0x28);
10 | }
11 |
12 | void AttachProcess(PEPROCESS Process, PETHREAD Thread)
13 | {
14 | uint64_t DirectoryTableBase;
15 | uint64_t result;
16 | uint64_t Value;
17 |
18 | //Attach to Process
19 | OldAttach = *(uint64_t*)(uint64_t(Thread) + 0xB8);
20 | *(uint64_t*)(uint64_t(Thread) + 0xB8) = uint64_t(Process);
21 |
22 | // KernelApcPending
23 | *(uint64_t*)(uint64_t(Thread) + 0x98 + 0x29) = 0;
24 |
25 | //Get DirectoryTableBase;
26 | DirectoryTableBase = GetDirectoryTableBase(Process);
27 | if ((DirectoryTableBase & 2) != 0)
28 | DirectoryTableBase = DirectoryTableBase | 0x8000000000000000u;
29 |
30 | // Write offset to DirectoryTableBase
31 | __writegsqword(0x9000u, DirectoryTableBase);
32 | __writecr3(DirectoryTableBase);
33 |
34 | // Temp Control Register
35 | Value = __readcr4();
36 | if ((Value & 0x20080) != 0)
37 | {
38 | result = Value ^ 0x80;
39 | __writecr4(Value ^ 0x80);
40 | __writecr4(Value);
41 | }
42 | else
43 | {
44 | result = __readcr3();
45 | __writecr3(result);
46 | }
47 | }
48 |
49 | #include
50 | void DetachProcess(PEPROCESS Process, PETHREAD Thread)
51 | {
52 | // KernelApcPending
53 | *(uint64_t*)(uint64_t(Thread) + 0x98 + 0x29) = 1;
54 |
55 | // restore to the old
56 | *(uint64_t*)(uint64_t(Thread) + 0xB8) = OldAttach;
57 |
58 | // Due to DCP the communication with usermode will crash, so we put a Sleep() 1 Millisecond for me it should be enough, so you need to test
59 | //NdisMSleep(1);
60 | }
61 |
62 | NTSTATUS ReadVirtualMemory(
63 | PEPROCESS Process,
64 | PVOID Destination,
65 | PVOID Source,
66 | SIZE_T Size)
67 | {
68 | NTSTATUS ntStatus = STATUS_SUCCESS;
69 | KAPC_STATE ApcState;
70 | PHYSICAL_ADDRESS SourcePhysicalAddress;
71 | PVOID MappedIoSpace;
72 | PVOID MappedKva;
73 | PMDL Mdl;
74 | BOOLEAN ShouldUseSourceAsUserVa;
75 |
76 | if (NT_SUCCESS(ntStatus) && Process)
77 | {
78 | ShouldUseSourceAsUserVa = Source <= MmHighestUserAddress ? TRUE : FALSE;
79 |
80 | // 2. Get the physical address corresponding to the user virtual memory
81 | SourcePhysicalAddress = MmGetPhysicalAddress(
82 | ShouldUseSourceAsUserVa == TRUE ? Source : Destination);
83 |
84 | if (!SourcePhysicalAddress.QuadPart)
85 | {
86 | return STATUS_INVALID_ADDRESS;
87 | }
88 |
89 | // 4. Map an IO space for MDL
90 | MappedIoSpace = MmMapIoSpace(SourcePhysicalAddress, Size, MmNonCached);
91 | if (!MappedIoSpace)
92 | {
93 | return STATUS_INSUFFICIENT_RESOURCES;
94 | }
95 |
96 | // 5. Allocate MDL
97 | Mdl = IoAllocateMdl(MappedIoSpace, (ULONG)Size, FALSE, FALSE, NULL);
98 | if (!Mdl)
99 | {
100 | MmUnmapIoSpace(MappedIoSpace, Size);
101 | return STATUS_INSUFFICIENT_RESOURCES;
102 | }
103 |
104 | // 6. Build MDL for non-paged pool
105 | MmBuildMdlForNonPagedPool(Mdl);
106 |
107 | // 7. Map to the KVA
108 | MappedKva = MmMapLockedPagesSpecifyCache(
109 | Mdl,
110 | KernelMode,
111 | MmNonCached,
112 | NULL,
113 | FALSE,
114 | NormalPagePriority);
115 |
116 | if (!MappedKva)
117 | {
118 | MmUnmapIoSpace(MappedIoSpace, Size);
119 | IoFreeMdl(Mdl);
120 | return STATUS_INSUFFICIENT_RESOURCES;
121 | }
122 |
123 | // 8. copy memory
124 | memcpy(
125 | ShouldUseSourceAsUserVa == TRUE ? Destination : MappedKva,
126 | ShouldUseSourceAsUserVa == TRUE ? MappedKva : Destination,
127 | Size);
128 |
129 | MmUnmapIoSpace(MappedIoSpace, Size);
130 | MmUnmapLockedPages(MappedKva, Mdl);
131 | IoFreeMdl(Mdl);
132 | }
133 |
134 | return ntStatus;
135 | }
136 |
137 | NTSTATUS ReadProcessMemory(HANDLE ProcessPid, PVOID Address, PVOID Buffer, SIZE_T Size)
138 | {
139 | PEPROCESS Process = { 0 };
140 | auto ntStatus = PsLookupProcessByProcessId(ProcessPid, &Process);
141 | if (NT_SUCCESS(ntStatus) && Process)
142 | {
143 | auto CurrentThread = KeGetCurrentThread();
144 |
145 | AttachProcess(Process, CurrentThread);
146 | ntStatus = ReadVirtualMemory(Process, Buffer, Address, Size);
147 | DetachProcess(Process, CurrentThread);
148 | }
149 |
150 | ObDereferenceObject(Process);
151 | return ntStatus;
152 | }
153 |
--------------------------------------------------------------------------------
/HyperHideDrv/Ssdt.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | namespace SSDT
4 | {
5 | BOOLEAN FindCodeCaves();
6 |
7 | BOOLEAN HookWin32kSyscall(CHAR* SyscallName, SHORT SyscallIndex, PVOID NewFunctionAddress, PVOID* OriginFunction);
8 |
9 | BOOLEAN HookNtSyscall(ULONG SyscallIndex, PVOID NewFunctionAddress, PVOID* OriginFunction);
10 |
11 | BOOLEAN GetSsdt();
12 |
13 | PVOID GetWin32KFunctionAddress(PCH SyscallName, SHORT SyscallIndex);
14 | }
--------------------------------------------------------------------------------
/HyperHideDrv/Txoo.h:
--------------------------------------------------------------------------------
1 | #include "ntddk.h"
2 | typedef struct _DbgProcess
3 | {
4 | LIST_ENTRY64 DbgProcessList;
5 | PEPROCESS DebugProcess;
6 | PEPROCESS Process;
7 | POBJECT_TYPE DebugObject;
8 | HANDLE DbgHanle;
9 | }DbgProcess, *PDbgProcess;
10 |
11 | typedef NTSTATUS(__fastcall *pfNtCreateDebugObject)(
12 | OUT PHANDLE DebugObjectHandle,
13 | IN ACCESS_MASK DesiredAccess,
14 | IN POBJECT_ATTRIBUTES ObjectAttributes,
15 | IN ULONG Flags
16 | );
17 |
18 | typedef NTSTATUS(
19 | __fastcall*
20 | pfNtDebugActiveProcess)(IN HANDLE ProcessHandle,
21 | IN HANDLE DebugHandle);
22 |
23 | typedef
24 | NTSTATUS(
25 | __fastcall* pfNtWaitForDebugEvent)(IN HANDLE DebugHandle,
26 | IN BOOLEAN Alertable,
27 | IN PLARGE_INTEGER Timeout OPTIONAL,
28 | OUT ULONG64 StateChange);
29 |
30 |
31 |
32 | typedef
33 | NTSTATUS(
34 | __fastcall*
35 | pfNtDebugContinue)(IN HANDLE DebugHandle,
36 | IN PCLIENT_ID AppClientId,
37 | IN NTSTATUS ContinueStatus);
38 | typedef
39 | NTSTATUS
40 | (__fastcall*
41 | pfNtRemoveProcessDebug)(IN HANDLE ProcessHandle,
42 | IN HANDLE DebugHandle);
43 | typedef NTSTATUS (__fastcall *pfDbgkpQueueMessage)(IN PEPROCESS Process, IN PETHREAD Thread, IN OUT ULONG64 ApiMsg, IN ULONG Flags, IN ULONG64 TargetDebugObject);
44 | typedef VOID(__fastcall *pfDbgkMapViewOfSection)(IN PVOID Processs,
45 | IN PVOID Section,
46 | IN ULONG BaseAddress
47 | );
48 | typedef VOID(__fastcall *pfDbgkUnMapViewOfSection)(IN PEPROCESS PROCESS, IN PVOID BaseAddress);
49 | typedef NTSTATUS (__fastcall *pfDbgkOpenProcessDebugPort)(IN PEPROCESS Process, IN KPROCESSOR_MODE PreviousMode, OUT HANDLE *DebugHandle);
50 | typedef VOID(__fastcall *pfDbgkCopyProcessDebugPort)(IN PEPROCESS Process, IN PEPROCESS Parent, IN ULONG64 unknow, IN ULONG64 unknow1);
51 | typedef BOOLEAN( __fastcall *pfDbgkForwardException)(IN PEXCEPTION_RECORD ExceptionRecord, IN BOOLEAN DebugPort, IN BOOLEAN SecondChance);
52 | extern pfNtCreateDebugObject ori_pslp40;//pfNtCreateDebugObject
53 | extern pfNtDebugActiveProcess ori_pslp43;//pfNtDebugActiveProcess
54 | extern pfNtWaitForDebugEvent ori_pslp41;//pfNtWaitForDebugEvent
55 | extern pfNtDebugContinue ori_pslp42;//pfNtDebugContinue
56 | extern pfNtRemoveProcessDebug ori_pslp44;//pfNtRemoveProcessDebug
57 | extern pfDbgkForwardException ori_pslp3;//pfDbgkForwardException
58 | extern pfDbgkCopyProcessDebugPort ori_pslp2;//pfDbgkCopyProcessDebugPort
59 | extern pfDbgkOpenProcessDebugPort ori_pslp4;//pfDbgkOpenProcessDebugPort
60 | extern pfDbgkUnMapViewOfSection ori_pslp5;//pfDbgkUnMapViewOfSection
61 | extern pfDbgkMapViewOfSection ori_pslp6; //pfDbgkMapViewOfSection
62 | extern pfDbgkpQueueMessage ori_pslp11;//pfDbgkpQueueMessage
63 | VOID NTAPI Debug_ExFreeItem(PDbgProcess Item);
64 | PDbgProcess Debug_FindMyNeedData(PDbgProcess DbgStruct);
65 | PDbgProcess Debug_AddStructToList(PDbgProcess DbgStruct);
66 | EXTERN_C VOID InitialzeDbgprocessList();
--------------------------------------------------------------------------------
/HyperHideDrv/Utils.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/Utils.h
--------------------------------------------------------------------------------
/HyperHideDrv/dbgk1to2.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/dbgk1to2.c
--------------------------------------------------------------------------------
/HyperHideDrv/dbgk1to2.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/dbgk1to2.h
--------------------------------------------------------------------------------
/HyperHideDrv/dbgtool.h:
--------------------------------------------------------------------------------
1 |
2 | typedef struct _save_handlentry{
3 | struct _save_handlentry*head;
4 | HANDLE dbgProcessId;
5 | PEPROCESS dbgProcessStruct;
6 |
7 | struct _save_handlentry*next;
8 |
9 | }_save_handlentry, *p_save_handlentry;
10 |
11 | p_save_handlentry createlist();
12 | p_save_handlentry insertlist(HANDLE dbgProcessId,
13 | PEPROCESS dbgProcessStruct, p_save_handlentry phead);
14 | p_save_handlentry querylist(p_save_handlentry phead, HANDLE dbgProcessId, PEPROCESS dbgProcessStruct);
15 | void deletelist(p_save_handlentry pclid);
16 |
--------------------------------------------------------------------------------
/HyperHideDrv/struct.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/struct.h
--------------------------------------------------------------------------------
/HyperHideDrv/vmintrin.asm:
--------------------------------------------------------------------------------
1 | .CODE
2 | __vm_call proc
3 | mov rax,0CDAEFAEDBBAEBEEFh
4 | vmcall
5 | ret
6 | __vm_call endp
7 |
8 | __vm_call_ex proc
9 | mov rax,0CDAEFAEDBBAEBEEFh ; Our vmcall indentitifer
10 |
11 | sub rsp, 30h
12 | mov qword ptr [rsp], r10
13 | mov qword ptr [rsp + 8h], r11
14 | mov qword ptr [rsp + 10h], r12
15 | mov qword ptr [rsp + 18h], r13
16 | mov qword ptr [rsp + 20h], r14
17 | mov qword ptr [rsp + 28h], r15
18 |
19 | mov r10, qword ptr [rsp + 58h]
20 | mov r11, qword ptr [rsp + 60h]
21 | mov r12, qword ptr [rsp + 68h]
22 | mov r13, qword ptr [rsp + 70h]
23 | mov r14, qword ptr [rsp + 78h]
24 | mov r15, qword ptr [rsp + 80h]
25 |
26 | vmcall
27 | mov r10, qword ptr [rsp]
28 | mov r11, qword ptr [rsp + 8h]
29 | mov r12, qword ptr [rsp + 10h]
30 | mov r13, qword ptr [rsp + 18h]
31 | mov r14, qword ptr [rsp + 20h]
32 | mov r15, qword ptr [rsp + 28h]
33 | add rsp, 30h
34 |
35 | ret
36 | __vm_call_ex endp
37 |
38 | END
--------------------------------------------------------------------------------
/HyperHideDrv/vmintrin.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #ifndef _NTIFS_H
4 | #define _NTIFS_H
5 | #include
6 | #endif // !_NTIFS_H
7 |
8 | extern "C"
9 | {
10 | bool __vm_call(unsigned __int64 vmcall_reason, unsigned __int64 rdx, unsigned __int64 r8, unsigned __int64 r9);
11 | bool __vm_call_ex(unsigned __int64 vmcall_reason, unsigned __int64 rdx, unsigned __int64 r8, unsigned __int64 r9, unsigned __int64 r10, unsigned __int64 r11, unsigned __int64 r12, unsigned __int64 r13, unsigned __int64 r14, unsigned __int64 r15);
12 | BOOLEAN __invept(unsigned __int32 Type, void* Descriptors);
13 | }
--------------------------------------------------------------------------------
/HyperHideDrv/wrRegstry.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/wrRegstry.c
--------------------------------------------------------------------------------
/HyperHideDrv/wrRegstry.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/wrRegstry.h
--------------------------------------------------------------------------------
/HyperHideDrv/获取汇编指令长度.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/HyperHideDrv/获取汇编指令长度.h
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # vt-debugger
2 | vt框架使用的airhv,增加了自建调试体系部分,稍微修改下可以调试大部分游戏,给学习vt的同学参考
3 | vt调试器:
4 | 1. ept hook.
5 | 2. 无痕int3.
6 | 3. 自建调试体系隐藏debugport.
7 | 4. 支持pdb符号自动下载,省去寻找特征码步骤,轻松兼容不同系统版本.
8 | 5. 5.zip文件是编译好的成品,后面会持续更新
9 | 6. 支持平台 win10 x64 intel architecture cpu.
10 | 7. 如果你在虚拟机里测试:虚拟机的配置:[内存>=4GB, cpu核心数>=2]
11 |
12 | the soruce code is based in hyperhide, with less modify it can debug a lot games.
13 | vt debugger:
14 | 1. ept hook.
15 | 2. invisible int3 breakpoint.
16 | 3. self constrcution of debug system hide debugport.
17 | 4. 4. download pdb automally, compatible with different system.
18 | 5. 5.zip file is compiled, it will update constantly
19 | 6. support platform win10 x64 intel architecture cpu.
20 | 7. if you test on virtual machine [virtual machine config:memory >=4GB, cpu core>=2]
21 |
22 | 
23 | 
24 |
--------------------------------------------------------------------------------
/airhv/airhv-main/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 Air14
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/airhv/airhv-main/README.md:
--------------------------------------------------------------------------------
1 | # airhv
2 |
3 | airhv is a simple hypervisor based on Intel VT-x mainly focused on ept hooking
4 | ## Features
5 | * Ept support with mapping of 2MB pages (splitted dynamicly to 4KB pages if needed)
6 | * Ability to run in VMWare which is using few IO ports for communication between vmtools and VMWare hypervisor
7 | * Ability to handle various VM-exit cases: `CPUID` `RDTSC` `RDTSCP` `RDRAND` `RDSEED` `WBINVD/INVD` `IN/OUT` `XSETBV` `RDMSR` `WRMSR` `INVPCID` `MOV DR` `CR ACCESS` `EXCEPTIONS/NMI` `VMCALL` `INVLPG` `GDTR/IDTR ACCESS` `LDTR/TR ACCESS`
8 | * Ability to perform inline hooking via ept
9 | * Included simple driver (airhvctrl) which is communicating with hypervisor via `VMCALL` to hook syscall (via ept).
10 | It hooks NtCreateFile and every time user when tries to create a file named test.txt it prevents user from doing that.
11 |
12 | ## Future possible features
13 | * Ability to run under AMD-SVM
14 | * Ability to handle more VM-exit cases
15 | * Ability to make hypervisor not detectable via counters (rdtsc,rdtscp)
16 | * Ability to run nested VMs
17 | * MSR_LSTAR hooking
18 |
19 | ## Compilation
20 |
21 | Compile with Visual Studio 2019 (Requires [WDK](https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk))
22 |
23 | ## Supported hardware
24 | Intel processors with VT-x and EPT support
25 |
26 | ## Supported platforms
27 | Windows 7 - Windows 10, x64 only
28 |
29 | ## License
30 | airhv is under MIT license.
31 | Dependencies are licensed by their own licenses.
32 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30907.101
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "airhv", "airhv\airhv.vcxproj", "{CC497BEE-6B9E-4732-8B60-35DFE6526C28}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "airhvctrl", "airhvctrl\airhvctrl.vcxproj", "{98E8F109-6A08-4461-A245-42B7CE32A703}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug_Minimal|x64 = Debug_Minimal|x64
13 | Debug|x64 = Debug|x64
14 | Release_Minimal|x64 = Release_Minimal|x64
15 | Release|x64 = Release|x64
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Debug_Minimal|x64.ActiveCfg = Debug_Minimal|x64
19 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Debug_Minimal|x64.Build.0 = Debug_Minimal|x64
20 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Debug_Minimal|x64.Deploy.0 = Debug_Minimal|x64
21 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Debug|x64.ActiveCfg = Debug|x64
22 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Debug|x64.Build.0 = Debug|x64
23 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Debug|x64.Deploy.0 = Debug|x64
24 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Release_Minimal|x64.ActiveCfg = Release_Minimal|x64
25 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Release_Minimal|x64.Build.0 = Release_Minimal|x64
26 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Release_Minimal|x64.Deploy.0 = Release_Minimal|x64
27 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Release|x64.ActiveCfg = Release|x64
28 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Release|x64.Build.0 = Release|x64
29 | {CC497BEE-6B9E-4732-8B60-35DFE6526C28}.Release|x64.Deploy.0 = Release|x64
30 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Debug_Minimal|x64.ActiveCfg = Debug|x64
31 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Debug_Minimal|x64.Build.0 = Debug|x64
32 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Debug_Minimal|x64.Deploy.0 = Debug|x64
33 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Debug|x64.ActiveCfg = Debug|x64
34 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Debug|x64.Build.0 = Debug|x64
35 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Debug|x64.Deploy.0 = Debug|x64
36 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Release_Minimal|x64.ActiveCfg = Release_Minimal|x64
37 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Release_Minimal|x64.Build.0 = Release_Minimal|x64
38 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Release_Minimal|x64.Deploy.0 = Release_Minimal|x64
39 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Release|x64.ActiveCfg = Release|x64
40 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Release|x64.Build.0 = Release|x64
41 | {98E8F109-6A08-4461-A245-42B7CE32A703}.Release|x64.Deploy.0 = Release|x64
42 | EndGlobalSection
43 | GlobalSection(SolutionProperties) = preSolution
44 | HideSolutionNode = FALSE
45 | EndGlobalSection
46 | GlobalSection(ExtensibilityGlobals) = postSolution
47 | SolutionGuid = {A387B9A7-546D-4699-8524-1E3CC92C3650}
48 | EndGlobalSection
49 | EndGlobal
50 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/airhv.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | WindowsRemoteDebugger
5 |
6 |
7 | WindowsRemoteDebugger
8 |
9 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/allocators.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "common.h"
4 |
5 | ///
6 | /// Allocate NonPagedPool with hypervisor tag, custom size
7 | ///
8 | /// Return type
9 | /// Size of allocation, base value is sizeof(T)
10 | ///
11 | template
12 | inline T allocate_pool(unsigned __int64 size)
13 | {
14 | return (T)ExAllocatePoolWithTag(NonPagedPool, size, VMM_TAG);
15 | }
16 |
17 | ///
18 | /// Allocate NonPagedPool size of T with hypervisor tag,
19 | ///
20 | /// Return type
21 | /// Size of allocation, base value is sizeof(T)
22 | ///
23 | template
24 | inline T* allocate_pool()
25 | {
26 | return (T*)ExAllocatePoolWithTag(NonPagedPool, sizeof(T), VMM_TAG);
27 | }
28 |
29 | ///
30 | /// Allocate Contignous memory size of T
31 | ///
32 | /// Return type
33 | ///
34 | template
35 | inline T* allocate_contignous_memory()
36 | {
37 | PHYSICAL_ADDRESS a;
38 | a.QuadPart = 0ULL - 1;
39 | return (T*)MmAllocateContiguousMemory(sizeof(T), a);
40 | }
41 |
42 | ///
43 | /// Allocate Contignous memory custom size
44 | ///
45 | /// Return type
46 | ///
47 | template
48 | inline T allocate_contignous_memory(unsigned __int64 size)
49 | {
50 | PHYSICAL_ADDRESS a;
51 | a.QuadPart = 0ULL - 1;
52 | return (T)MmAllocateContiguousMemory(size, a);
53 | }
54 |
55 | ///
56 | /// Free pool with tahg
57 | ///
58 | /// Base address of pool
59 | inline void free_pool(void* pool_address)
60 | {
61 | ExFreePoolWithTag(pool_address, VMM_TAG);
62 | }
63 |
64 | ///
65 | /// Free contignous memory
66 | ///
67 | /// Contignous memory base address
68 | inline void free_contignous_memory(void* memory_address)
69 | {
70 | MmFreeContiguousMemory(memory_address);
71 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/asm/vm_context.asm:
--------------------------------------------------------------------------------
1 | .CODE
2 | extern ?vmexit_handler@@YA_NPEAU__vmexit_guest_registers@@@Z : proc
3 | extern ?init_logical_processor@@YAXPEAX@Z : proc
4 | extern ?return_rsp_for_vmxoff@@YA_KXZ : proc
5 | extern ?return_rip_for_vmxoff@@YA_KXZ : proc
6 |
7 | PUBLIC ?vmm_entrypoint@@YAXXZ
8 | PUBLIC ?vmx_restore_state@@YAXXZ
9 | PUBLIC ?vmx_save_state@@YAXXZ
10 |
11 | SAVE_GP macro
12 | push rax
13 | push rcx
14 | push rdx
15 | push rbx
16 | push -01h ; placeholder for rsp
17 | push rbp
18 | push rsi
19 | push rdi
20 | push r8
21 | push r9
22 | push r10
23 | push r11
24 | push r12
25 | push r13
26 | push r14
27 | push r15
28 | endm
29 | RESTORE_GP macro
30 | pop r15
31 | pop r14
32 | pop r13
33 | pop r12
34 | pop r11
35 | pop r10
36 | pop r9
37 | pop r8
38 | pop rdi
39 | pop rsi
40 | pop rbp
41 | pop rbx ; placeholder for rsp
42 | pop rbx
43 | pop rdx
44 | pop rcx
45 | pop rax
46 | endm
47 |
48 | ?vmm_entrypoint@@YAXXZ proc
49 | SAVE_GP
50 | sub rsp ,60h
51 | movdqa xmmword ptr [rsp], xmm0
52 | movdqa xmmword ptr [rsp+10h], xmm1
53 | movdqa xmmword ptr [rsp+20h], xmm2
54 | movdqa xmmword ptr [rsp+30h], xmm3
55 | movdqa xmmword ptr [rsp+40h], xmm4
56 | movdqa xmmword ptr [rsp+50h], xmm5
57 | mov rcx, rsp
58 | sub rsp, 20h
59 | call ?vmexit_handler@@YA_NPEAU__vmexit_guest_registers@@@Z
60 | add rsp, 20h
61 | movdqa xmm0, xmmword ptr [rsp]
62 | movdqa xmm1, xmmword ptr [rsp+10h]
63 | movdqa xmm2, xmmword ptr [rsp+20h]
64 | movdqa xmm3, xmmword ptr [rsp+30h]
65 | movdqa xmm4, xmmword ptr [rsp+40h]
66 | movdqa xmm5, xmmword ptr [rsp+50h]
67 | add rsp, 60h
68 | cmp al, 1
69 | jnz exit
70 | RESTORE_GP
71 | vmresume
72 | exit:
73 | sub rsp, 20h
74 | call ?return_rsp_for_vmxoff@@YA_KXZ
75 | add rsp, 20h
76 |
77 | push rax
78 |
79 | sub rsp, 20h
80 | call ?return_rip_for_vmxoff@@YA_KXZ
81 | add rsp, 20h
82 |
83 | push rax
84 |
85 | mov rcx,rsp
86 | mov rsp,[rcx+8h]
87 | mov rax,[rcx]
88 | push rax
89 |
90 | mov r15,[rcx+10h]
91 | mov r14,[rcx+18h]
92 | mov r13,[rcx+20h]
93 | mov r12,[rcx+28h]
94 | mov r11,[rcx+30h]
95 | mov r10,[rcx+38h]
96 | mov r9,[rcx+40h]
97 | mov r8,[rcx+48h]
98 | mov rdi,[rcx+50h]
99 | mov rsi,[rcx+58h]
100 | mov rbp,[rcx+60h]
101 | mov rbx,[rcx+70h]
102 | mov rdx,[rcx+78h]
103 | mov rax,[rcx+88h]
104 | mov rcx,[rcx+80h]
105 |
106 | ret
107 | ?vmm_entrypoint@@YAXXZ endp
108 |
109 | ?vmx_save_state@@YAXXZ PROC
110 | pushfq
111 | SAVE_GP
112 | sub rsp, 020h
113 | mov rcx, rsp
114 | call ?init_logical_processor@@YAXPEAX@Z
115 | int 3 ; we should never be here
116 |
117 | ?vmx_save_state@@YAXXZ ENDP
118 |
119 | ?vmx_restore_state@@YAXXZ PROC
120 | add rsp, 020h
121 | RESTORE_GP
122 | popfq
123 | ret
124 | ?vmx_restore_state@@YAXXZ ENDP
125 |
126 | END
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/asm/vm_context.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "vmexit_handler.h"
3 |
4 | void vmm_entrypoint();
5 | void vmx_restore_state();
6 | void vmx_save_state();
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/asm/vm_intrin.asm:
--------------------------------------------------------------------------------
1 | .CODE
2 |
3 | __writecr2 proc
4 | mov cr2,rcx
5 | ret
6 | __writecr2 endp
7 |
8 | __read_ldtr proc
9 | sldt ax
10 | ret
11 | __read_ldtr endp
12 |
13 | __read_tr proc
14 | str ax
15 | ret
16 | __read_tr endp
17 |
18 | __read_cs proc
19 | mov ax, cs
20 | ret
21 | __read_cs endp
22 |
23 | __read_ss proc
24 | mov ax, ss
25 | ret
26 | __read_ss endp
27 |
28 | __read_ds proc
29 | mov ax, ds
30 | ret
31 | __read_ds endp
32 |
33 | __read_es proc
34 | mov ax, es
35 | ret
36 | __read_es endp
37 |
38 | __read_fs proc
39 | mov ax, fs
40 | ret
41 | __read_fs endp
42 |
43 | __read_gs proc
44 | mov ax, gs
45 | ret
46 | __read_gs endp
47 |
48 | __sgdt proc
49 | sgdt qword ptr [rcx]
50 | ret
51 | __sgdt endp
52 |
53 | __sidt proc
54 | sidt qword ptr [rcx]
55 | ret
56 | __sidt endp
57 |
58 | __load_ar proc
59 | lar rax, rcx
60 | jz no_error
61 | xor rax, rax
62 | no_error:
63 | ret
64 | __load_ar endp
65 |
66 | __vm_call proc
67 | mov rax,0CDAEFAEDBBAEBEEFh
68 | vmcall
69 | ret
70 | __vm_call endp
71 |
72 | __vm_call_ex proc
73 | mov rax,0CDAEFAEDBBAEBEEFh ; Our vmcall indentitifer
74 |
75 | sub rsp, 30h
76 | mov qword ptr [rsp], r10
77 | mov qword ptr [rsp + 8h], r11
78 | mov qword ptr [rsp + 10h], r12
79 | mov qword ptr [rsp + 18h], r13
80 | mov qword ptr [rsp + 20h], r14
81 | mov qword ptr [rsp + 28h], r15
82 |
83 | mov r10, qword ptr [rsp + 58h]
84 | mov r11, qword ptr [rsp + 60h]
85 | mov r12, qword ptr [rsp + 68h]
86 | mov r13, qword ptr [rsp + 70h]
87 | mov r14, qword ptr [rsp + 78h]
88 | mov r15, qword ptr [rsp + 80h]
89 |
90 | vmcall
91 | mov r10, qword ptr [rsp]
92 | mov r11, qword ptr [rsp + 8h]
93 | mov r12, qword ptr [rsp + 10h]
94 | mov r13, qword ptr [rsp + 18h]
95 | mov r14, qword ptr [rsp + 20h]
96 | mov r15, qword ptr [rsp + 28h]
97 | add rsp, 30h
98 |
99 | ret
100 | __vm_call_ex endp
101 |
102 | __hyperv_vm_call proc
103 | vmcall
104 | ret
105 | __hyperv_vm_call endp
106 |
107 | __reload_gdtr PROC
108 | push rcx
109 | shl rdx, 48
110 | push rdx
111 | lgdt fword ptr [rsp+6]
112 | pop rax
113 | pop rax
114 | ret
115 | __reload_gdtr ENDP
116 |
117 |
118 | __reload_idtr PROC
119 | push rcx
120 | shl rdx, 48
121 | push rdx
122 | lidt fword ptr [rsp+6]
123 | pop rax
124 | pop rax
125 | ret
126 | __reload_idtr ENDP
127 |
128 | __invept PROC
129 | invept rcx,oword ptr[rdx]
130 | ret
131 | __invept ENDP
132 |
133 | __invvpid PROC
134 | invvpid rcx,oword ptr[rdx]
135 | ret
136 | __invvpid ENDP
137 |
138 | END
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/asm/vm_intrin.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | extern "C"
3 | {
4 | unsigned short __read_ldtr(void);
5 | unsigned short __read_tr(void);
6 | unsigned short __read_cs(void);
7 | unsigned short __read_ss(void);
8 | unsigned short __read_ds(void);
9 | unsigned short __read_es(void);
10 | unsigned short __read_fs(void);
11 | unsigned short __read_gs(void);
12 | void __sgdt(void*);
13 | void __sidt(void*);
14 | unsigned __int32 __load_ar(unsigned __int16);
15 | bool __vm_call(unsigned __int64 vmcall_reason, unsigned __int64 rdx, unsigned __int64 r8, unsigned __int64 r9);
16 | bool __vm_call_ex(unsigned __int64 vmcall_reason, unsigned __int64 rdx, unsigned __int64 r8, unsigned __int64 r9, unsigned __int64 r10, unsigned __int64 r11, unsigned __int64 r12, unsigned __int64 r13, unsigned __int64 r14, unsigned __int64 r15);
17 | unsigned __int64 __hyperv_vm_call(unsigned __int64 param1, unsigned __int64 param2, unsigned __int64 param3);
18 | void __reload_gdtr(unsigned __int64 base, unsigned long limit);
19 | void __reload_idtr(unsigned __int64 base, unsigned long limit);
20 | void __invept(unsigned __int32 type, void* descriptors);
21 | void __invvpid(unsigned __int32 type, void* descriptors);
22 | void __writecr2(unsigned __int64 cr2);
23 | int __cdecl _rdseed16_step(unsigned __int16* return_value);
24 | int __cdecl _rdseed32_step(unsigned __int32* return_value);
25 | int __cdecl _rdseed64_step(unsigned __int64* return_value);
26 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/common.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "ia32\ept.h"
4 | #include "poolmanager.h"
5 | #include "ia32\exception.h"
6 | #include "ia32\mtrr.h"
7 | #include "ia32\rflags.h"
8 |
9 | extern "C" size_t __fastcall LDE(const void* lpData, unsigned int size);
10 |
11 | #define VMCALL_IDENTIFIER 0xCDAEFAEDBBAEBEEF
12 | #define VMM_TAG 'vhra'
13 | #define VMM_STACK_SIZE 0x6000
14 |
15 | #define LARGE_PAGE_SIZE 0x200000
16 | #define GET_PFN(_VAR_) (_VAR_ >> PAGE_SHIFT)
17 |
18 | #define MASK_GET_HIGHER_32BITS(_ARG_)(_ARG_ & 0xffffffff00000000)
19 | #define MASK_GET_LOWER_32BITS(_ARG_)(_ARG_ & 0xffffffff)
20 | #define MASK_GET_LOWER_16BITS(_ARG_)(_ARG_ & 0xffff)
21 | #define MASK_GET_LOWER_8BITS(_ARG_)(_ARG_ & 0xff)
22 | #define MASK_32BITS 0xffffffff
23 |
24 | struct __vmexit_guest_registers
25 | {
26 | __m128 xmm[6];
27 | unsigned __int64 r15;
28 | unsigned __int64 r14;
29 | unsigned __int64 r13;
30 | unsigned __int64 r12;
31 | unsigned __int64 r11;
32 | unsigned __int64 r10;
33 | unsigned __int64 r9;
34 | unsigned __int64 r8;
35 | unsigned __int64 rdi;
36 | unsigned __int64 rsi;
37 | unsigned __int64 rbp;
38 | unsigned __int64 rsp;
39 | unsigned __int64 rbx;
40 | unsigned __int64 rdx;
41 | unsigned __int64 rcx;
42 | unsigned __int64 rax;
43 | };
44 |
45 | struct __ept_state
46 | {
47 | LIST_ENTRY hooked_page_list;
48 | __mtrr_range_descriptor memory_range[100];
49 | unsigned __int32 enabled_memory_ranges;
50 | unsigned __int8 default_memory_type;
51 | __eptp* ept_pointer;
52 | __vmm_ept_page_table* ept_page_table;
53 | volatile long pml_lock;
54 | };
55 |
56 | struct __vmcs
57 | {
58 | union
59 | {
60 | unsigned int all;
61 | struct
62 | {
63 | unsigned int revision_identifier : 31;
64 | unsigned int shadow_vmcs_indicator : 1;
65 | };
66 | } header;
67 | unsigned int abort_indicator;
68 | char data[0x1000 - 2 * sizeof(unsigned)];
69 | };
70 |
71 | struct __vcpu
72 | {
73 | void* vmm_stack;
74 |
75 | __vmcs* vmcs;
76 | unsigned __int64 vmcs_physical;
77 |
78 | __vmcs* vmxon;
79 | unsigned __int64 vmxon_physical;
80 |
81 | struct __vmexit_info
82 | {
83 | __vmexit_guest_registers* guest_registers;
84 |
85 | unsigned __int64 guest_rip;
86 |
87 | __rflags guest_rflags;
88 |
89 | unsigned __int64 instruction_length;
90 |
91 | unsigned __int64 reason;
92 |
93 | unsigned __int64 qualification;
94 |
95 | unsigned __int64 instruction_information;
96 |
97 | }vmexit_info;
98 |
99 | struct __vcpu_status
100 | {
101 | unsigned __int64 vmx_on;
102 | unsigned __int64 vmm_launched;
103 | }vcpu_status;
104 |
105 | struct __vmx_off_state
106 | {
107 | unsigned __int64 vmx_off_executed;
108 | unsigned __int64 guest_rip;
109 | unsigned __int64 guest_rsp;
110 | }vmx_off_state;
111 |
112 | struct __vcpu_bitmaps
113 | {
114 | unsigned __int8* msr_bitmap;
115 | unsigned __int64 msr_bitmap_physical;
116 |
117 | unsigned __int8* io_bitmap_a;
118 | unsigned __int64 io_bitmap_a_physical;
119 |
120 | unsigned __int8* io_bitmap_b;
121 | unsigned __int64 io_bitmap_b_physical;
122 | }vcpu_bitmaps;
123 | };
124 |
125 | struct __vmm_context
126 | {
127 | __vcpu** vcpu_table;
128 | pool_manager::__pool_manager* pool_manager;
129 | __ept_state* ept_state;
130 |
131 | unsigned __int32 processor_count;
132 | unsigned __int32 highest_basic_leaf;
133 | bool hv_presence;
134 | };
135 |
136 | extern __vmm_context* g_vmm_context;
137 |
138 | namespace spinlock
139 | {
140 | bool try_lock(volatile long* lock);
141 | void lock(volatile long* lock);
142 | void unlock(volatile long* lock);
143 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/ept.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/airhv/airhv-main/airhv/ept.cpp
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/hypervisor_gateway.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | namespace hvgt
3 | {
4 | ///
5 | /// Turn off virtual machine
6 | ///
7 | void vmoff();
8 |
9 | ///
10 | /// Invalidates mappings in the translation lookaside buffers (TLBs)
11 | /// and paging-structure caches that were derived from extended page tables (EPT)
12 | ///
13 | /// If true invalidates all contexts otherway invalidate only single context (currently hv doesn't use more than 1 context)
14 | void invept(bool invept_all);
15 |
16 | ///
17 | /// Set/Unset presence of hypervisor
18 | ///
19 | /// If false, hypervisor is not visible via cpuid interface, If true, it become visible
20 | void hypervisor_visible(bool value);
21 |
22 | ///
23 | /// Unhook all pages and invalidate tlb
24 | ///
25 | /// status
26 | bool ept_unhook();
27 |
28 | ///
29 | /// Unhook single page and invalidate tlb
30 | ///
31 | ///
32 | /// status
33 | bool ept_unhook(void* function_address);
34 |
35 | ///
36 | /// Hook function via ept and invalidates mappings
37 | ///
38 | /// Address of function which we want to hook
39 | /// Address of function which is used to call original function
40 | /// Address of function which is used to call original function
41 | /// status
42 | bool hook_function(void* target_address, void* hook_function, void** origin_function);
43 |
44 | ///
45 | /// Hook function via ept and invalidates mappings
46 | ///
47 | /// Address of function which we want to hook
48 | /// Address of function which is used to call original function
49 | /// Address of codecave which is at least 14 bytes in size and in 2GB range of target function address
50 | /// Use only if function you want to hook uses some relatives jmps/moves in first 14 bytes
51 | /// Address of function which is used to call original function
52 | /// status
53 | bool hook_function(void* target_address, void* hook_function, void* trampoline_address, void** origin_function);
54 |
55 | ///
56 | /// Check if we can communicate with hypervisor
57 | ///
58 | /// status
59 | bool test_vmcall();
60 |
61 | ///
62 | /// Send irp with information to allocate memory
63 | ///
64 | /// status
65 | bool send_irp_perform_allocation();
66 | }
67 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/hypervisor_routines.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "common.h"
4 |
5 | enum __syscall_type
6 | {
7 | SYSCALL_NT,
8 | SYSCALL_WIN32K
9 | };
10 |
11 | namespace hv
12 | {
13 | ///
14 | /// Check if cpu support virtualization
15 | ///
16 | ///
17 | bool virtualization_support();
18 |
19 | ///
20 | /// Disable vmx operation
21 | ///
22 | ///
23 | void disable_vmx_operation();
24 |
25 | ///
26 | /// Read vmcs field
27 | ///
28 | ///
29 | ///
30 | unsigned __int64 vmread(unsigned __int64 vmcs_field);
31 |
32 | ///
33 | /// Dump whole vmcs structure
34 | ///
35 | void dump_vmcs();
36 |
37 | ///
38 | /// Set 1 msr in msr bitmap
39 | ///
40 | /// Msr number
41 | /// Pointer to current vcpu
42 | /// If set vmexit occur on reading this msr
43 | /// If set vmexit occur on writing to this msr
44 | /// If true set msr bit else clear
45 | void set_msr_bitmap(unsigned __int32 msr, __vcpu* vcpu, bool read, bool write, bool value);
46 |
47 | ///
48 | /// Set or unset bit in io port bitmap
49 | ///
50 | /// IO port which you want to set
51 | /// Pointer to current vcpu
52 | /// If true then set bit else unset bit
53 | void set_io_bitmap(unsigned __int16 io_port, __vcpu* vcpu, bool value);
54 |
55 | ///
56 | ///
57 | ///
58 | /// Return current guest privilage level
59 | unsigned __int8 get_guest_cpl();
60 |
61 | ///
62 | /// Swap cr3 with current process dtb
63 | ///
64 | /// old cr3
65 | unsigned __int64 swap_context();
66 |
67 | ///
68 | /// Restore cr3
69 | ///
70 | ///
71 | void restore_context(unsigned __int64 old_cr3);
72 |
73 | ///
74 | /// Check if address is canonicial (level 4 paging)
75 | ///
76 | ///
77 | ///
78 | bool is_address_canonical(unsigned __int64 address);
79 |
80 | ///
81 | /// Get system directory table base
82 | ///
83 | ///
84 | unsigned __int64 get_system_directory_table_base();
85 |
86 | ///
87 | /// Inject interrupt/exception to guest system
88 | ///
89 | ///
90 | ///
91 | ///
92 | ///
93 | void inject_interruption(unsigned __int32 vector, unsigned __int32 type, unsigned __int32 error_code, bool deliver_error_code);
94 |
95 | ///
96 | /// Write to reset io port to perform hard reset
97 | ///
98 | void hard_reset();
99 |
100 | ///
101 | /// Used to get address passed by user in inpvcid
102 | ///
103 | ///
104 | ///
105 | unsigned __int64 get_guest_address(__vcpu* vcpu);
106 |
107 | ///
108 | /// Write to vmcs field
109 | ///
110 | ///
111 | /// Field number
112 | /// Value
113 | template
114 | void vmwrite(unsigned __int64 vmcs_field, T value)
115 | {
116 | __vmx_vmwrite(vmcs_field, (unsigned __int64)value);
117 | }
118 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/ia32/dr.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | union __dr6
3 | {
4 | unsigned __int64 all;
5 | struct
6 | {
7 | unsigned __int64 breakpoint_condition : 4;
8 | unsigned __int64 reserved_1 : 8; // always 1
9 | unsigned __int64 reserved_2 : 1; // always 0
10 | unsigned __int64 debug_register_access_detected : 1;
11 | unsigned __int64 single_instruction : 1;
12 | unsigned __int64 task_switch : 1;
13 | unsigned __int64 restricted_transactional_memory : 1;
14 | unsigned __int64 reserved_3 : 15; // always 1
15 | };
16 | };
17 |
18 | union __dr7
19 | {
20 | unsigned __int64 all;
21 | struct
22 | {
23 | unsigned __int64 local_breakpoint_0 : 1;
24 | unsigned __int64 global_breakpoint_0 : 1;
25 | unsigned __int64 local_breakpoint_1 : 1;
26 | unsigned __int64 global_breakpoint_1 : 1;
27 | unsigned __int64 local_breakpoint_2 : 1;
28 | unsigned __int64 global_breakpoint_2 : 1;
29 | unsigned __int64 local_breakpoint_3 : 1;
30 | unsigned __int64 global_breakpoint_3 : 1;
31 | unsigned __int64 local_exact_breakpoint : 1;
32 | unsigned __int64 global_exact_breakpoint : 1;
33 | unsigned __int64 reserved_1 : 1; // always 1
34 | unsigned __int64 restricted_transactional_memory : 1;
35 | unsigned __int64 reserved_2 : 1; // always 0
36 | unsigned __int64 general_detect : 1;
37 | unsigned __int64 reserved_3 : 2; // always 0
38 | unsigned __int64 read_write_0 : 2;
39 | unsigned __int64 length_0 : 2;
40 | unsigned __int64 read_write_1 : 2;
41 | unsigned __int64 length_1 : 2;
42 | unsigned __int64 read_write_2 : 2;
43 | unsigned __int64 length_2 : 2;
44 | unsigned __int64 read_write_3 : 2;
45 | unsigned __int64 length_3 : 2;
46 | };
47 | };
48 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/ia32/exception.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | union __exception_bitmap
3 | {
4 | unsigned __int32 all;
5 | struct
6 | {
7 | unsigned __int32 divide_error : 1;
8 | unsigned __int32 debug : 1;
9 | unsigned __int32 nmi_interrupt : 1;
10 | unsigned __int32 breakpoint : 1;
11 | unsigned __int32 overflow : 1;
12 | unsigned __int32 bound : 1;
13 | unsigned __int32 invalid_opcode : 1;
14 | unsigned __int32 device_not_available : 1;
15 | unsigned __int32 double_fault : 1;
16 | unsigned __int32 coprocessor_segment_overrun : 1;
17 | unsigned __int32 invalid_tss : 1;
18 | unsigned __int32 segment_not_present : 1;
19 | unsigned __int32 stack_segment_fault : 1;
20 | unsigned __int32 general_protection : 1;
21 | unsigned __int32 page_fault : 1;
22 | unsigned __int32 x87_floating_point_error : 1;
23 | unsigned __int32 alignment_check : 1;
24 | unsigned __int32 machine_check : 1;
25 | unsigned __int32 simd_floating_point_error : 1;
26 | unsigned __int32 virtualization_exception : 1;
27 | };
28 | };
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/ia32/mtrr.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | enum __mtrr_memory_types
3 | {
4 | MEMORY_TYPE_UNCACHEABLE,
5 | MEMORY_TYPE_WRITE_COMBINING,
6 | MEMORY_TYPE_WRITE_THROUGH = 4,
7 | MEMORY_TYPE_WRITE_PROTECTED,
8 | MEMORY_TYPE_WRITE_BACK,
9 | MEMORY_TYPE_INVALID = 255,
10 | };
11 |
12 | struct __mtrr_range_descriptor
13 | {
14 | unsigned __int64 physcial_base_address;
15 | unsigned __int64 physcial_end_address;
16 | unsigned __int8 memory_type;
17 | bool fixed_range;
18 | };
19 |
20 | union __mtrr_physmask_reg
21 | {
22 | unsigned __int64 all;
23 | struct
24 | {
25 | unsigned __int64 reserved : 11;
26 | unsigned __int64 valid : 1;
27 | unsigned __int64 physmask : 36;
28 | unsigned __int64 reserved2 : 16;
29 | };
30 | };
31 |
32 | union __mtrr_physbase_reg
33 | {
34 | unsigned __int64 all;
35 | struct
36 | {
37 | unsigned __int64 type : 8;
38 | unsigned __int64 reserved : 4;
39 | unsigned __int64 physbase : 36;
40 | unsigned __int64 reserved2 : 16;
41 | };
42 | };
43 |
44 | union __mtrr_cap_reg
45 | {
46 | unsigned __int64 all;
47 | struct
48 | {
49 | unsigned __int64 range_register_number : 8;
50 | unsigned __int64 fixed_range_support : 1;
51 | unsigned __int64 reserved : 1;
52 | unsigned __int64 write_combining_support : 1;
53 | unsigned __int64 smrr_support : 1;
54 | unsigned __int64 reserved2 : 52;
55 | };
56 | };
57 |
58 | union __mtrr_def_type
59 | {
60 | unsigned __int64 all;
61 | struct
62 | {
63 | unsigned __int64 memory_type : 8;
64 | unsigned __int64 reserved1 : 2;
65 | unsigned __int64 fixed_range_mtrr_enabled : 1;
66 | unsigned __int64 mtrr_enabled : 1;
67 | unsigned __int64 reserved2 : 52;
68 | };
69 | };
70 |
71 | union __mtrr_fixed_range_type
72 | {
73 | unsigned __int64 all;
74 | struct
75 | {
76 | unsigned __int8 types[8];
77 | };
78 | };
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/ia32/rflags.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | union __rflags
4 | {
5 | unsigned __int64 all;
6 | struct
7 | {
8 | unsigned __int64 carry_flag : 1;
9 | unsigned __int64 read_as_1 : 1;
10 | unsigned __int64 parity_flag : 1;
11 | unsigned __int64 reserved_1 : 1;
12 | unsigned __int64 auxiliary_carry_flag : 1;
13 | unsigned __int64 reserved_2 : 1;
14 | unsigned __int64 zero_flag : 1;
15 | unsigned __int64 sign_flag : 1;
16 | unsigned __int64 trap_flag : 1;
17 | unsigned __int64 interrupt_enable_flag : 1;
18 | unsigned __int64 direction_flag : 1;
19 | unsigned __int64 overflow_flag : 1;
20 | unsigned __int64 io_privilege_level : 2;
21 | unsigned __int64 nested_task_flag : 1;
22 | unsigned __int64 reserved_3 : 1;
23 | unsigned __int64 resume_flag : 1;
24 | unsigned __int64 virtual_8086_mode_flag : 1;
25 | unsigned __int64 alignment_check_flag : 1;
26 | unsigned __int64 virtual_interrupt_flag : 1;
27 | unsigned __int64 virtual_interrupt_pending_flag : 1;
28 | unsigned __int64 identification_flag : 1;
29 | };
30 | };
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/ia32/segment.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | enum __segment_registers
3 | {
4 | ES = 0,
5 | CS,
6 | SS,
7 | DS,
8 | FS,
9 | GS,
10 | LDTR,
11 | TR
12 | };
13 |
14 | union __segment_access_rights
15 | {
16 | struct
17 | {
18 | unsigned __int32 type : 4;
19 | unsigned __int32 descriptor_type : 1;
20 | unsigned __int32 dpl : 2;
21 | unsigned __int32 present : 1;
22 | unsigned __int32 reserved0 : 4;
23 | unsigned __int32 available : 1;
24 | unsigned __int32 long_mode : 1;
25 | unsigned __int32 default_big : 1;
26 | unsigned __int32 granularity : 1;
27 | unsigned __int32 unusable : 1;
28 | unsigned __int32 reserved1 : 15;
29 | };
30 |
31 | unsigned __int32 all;
32 | };
33 |
34 | struct __segment_descriptor
35 | {
36 | unsigned __int16 limit_low;
37 | unsigned __int16 base_low;
38 | union
39 | {
40 | struct
41 | {
42 | unsigned __int32 base_middle : 8;
43 | unsigned __int32 type : 4;
44 | unsigned __int32 descriptor_type : 1;
45 | unsigned __int32 dpl : 2;
46 | unsigned __int32 present : 1;
47 | unsigned __int32 segment_limit_high : 4;
48 | unsigned __int32 system : 1;
49 | unsigned __int32 long_mode : 1;
50 | unsigned __int32 default_big : 1;
51 | unsigned __int32 granularity : 1;
52 | unsigned __int32 base_high : 8;
53 | };
54 | };
55 |
56 | unsigned __int32 base_upper;
57 | unsigned __int32 reserved;
58 | };
59 |
60 | union __segment_selector
61 | {
62 | unsigned short all;
63 | struct
64 | {
65 | unsigned short rpl : 2;
66 | unsigned short ti : 1;
67 | unsigned short index : 13;
68 | };
69 | };
70 |
71 | #pragma pack(push, 1)
72 | struct __pseudo_descriptor64
73 | {
74 | unsigned __int16 limit;
75 | unsigned __int64 base_address;
76 | };
77 | #pragma pack(pop)
78 |
79 | #pragma pack(push, 1)
80 | struct __pseudo_descriptor32
81 | {
82 | unsigned __int16 limit;
83 | unsigned __int32 base_address;
84 | };
85 | #pragma pack(pop)
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/interrupt.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define RESET_IO_PORT 0xCF9
3 |
4 | enum __exception_vectors
5 | {
6 | EXCEPTION_VECTOR_DIVIDE_ERROR,
7 | EXCEPTION_VECTOR_SINGLE_STEP,
8 | EXCEPTION_VECTOR_NMII,
9 | EXCEPTION_VECTOR_BREAKPOINT,
10 | EXCEPTION_VECTOR_OVERFLOW,
11 | EXCEPTION_VECTOR_BOUND_RANGE_EXCEEDED,
12 | EXCEPTION_VECTOR_UNDEFINED_OPCODE,
13 | EXCEPTION_VECTOR_NO_MATH_COPROCESSOR,
14 | EXCEPTION_VECTOR_DOUBLE_FAULTT,
15 | EXCEPTION_VECTOR_RESERVED0,
16 | EXCEPTION_VECTOR_INVALID_TASK_SEGMENT_SELECTOR,
17 | EXCEPTION_VECTOR_SEGMENT_NOT_PRESENTT,
18 | EXCEPTION_VECTOR_STACK_SEGMENT_FAULT,
19 | EXCEPTION_VECTOR_GENERAL_PROTECTION_FAULT,
20 | EXCEPTION_VECTOR_PAGE_FAULT,
21 | EXCEPTION_VECTOR_RESERVED1,
22 | EXCEPTION_VECTOR_MATH_FAULT,
23 | EXCEPTION_VECTOR_ALIGNMENT_CHECK,
24 | EXCEPTION_VECTOR_MACHINE_CHECK,
25 | EXCEPTION_VECTOR_SIMD_FLOATING_POINT_NUMERIC_ERROR,
26 | EXCEPTION_VECTOR_VIRTUAL_EXCEPTION,
27 | EXCEPTION_VECTOR_RESERVED2,
28 | EXCEPTION_VECTOR_RESERVED3,
29 | EXCEPTION_VECTOR_RESERVED4,
30 | EXCEPTION_VECTOR_RESERVED5,
31 | EXCEPTION_VECTOR_RESERVED6,
32 | EXCEPTION_VECTOR_RESERVED7,
33 | EXCEPTION_VECTOR_RESERVED8,
34 | EXCEPTION_VECTOR_RESERVED9,
35 | EXCEPTION_VECTOR_RESERVED10,
36 | EXCEPTION_VECTOR_RESERVED11,
37 | EXCEPTION_VECTOR_RESERVED12
38 | };
39 |
40 | enum interrupt_type
41 | {
42 | INTERRUPT_TYPE_EXTERNAL_INTERRUPT = 0,
43 | INTERRUPT_TYPE_RESERVED = 1,
44 | INTERRUPT_TYPE_NMI = 2,
45 | INTERRUPT_TYPE_HARDWARE_EXCEPTION = 3,
46 | INTERRUPT_TYPE_SOFTWARE_INTERRUPT = 4,
47 | INTERRUPT_TYPE_PRIVILEGED_SOFTWARE_INTERRUPT = 5,
48 | INTERRUPT_TYPE_SOFTWARE_EXCEPTION = 6,
49 | INTERRUPT_TYPE_OTHER_EVENT = 7
50 | };
51 |
52 | union __vmentry_interrupt_info
53 | {
54 | unsigned __int32 all;
55 | struct
56 | {
57 | unsigned __int32 interrupt_vector : 8;
58 | unsigned __int32 interruption_type : 3;
59 | unsigned __int32 deliver_error_code : 1;
60 | unsigned __int32 reserved : 19;
61 | unsigned __int32 valid : 1;
62 |
63 | };
64 | };
65 |
66 | struct __vmentry_event_information
67 | {
68 | __vmentry_interrupt_info interrupt_info;
69 | unsigned __int32 instruction_length;
70 | unsigned __int64 error_code;
71 | };
72 |
73 | union __vmexit_interrupt_info
74 | {
75 | struct
76 | {
77 | unsigned __int32 vector : 8;
78 | unsigned __int32 interruption_type : 3;
79 | unsigned __int32 error_code_valid : 1;
80 | unsigned __int32 nmi_unblocking : 1;
81 | unsigned __int32 reserved : 18;
82 | unsigned __int32 valid : 1;
83 | };
84 | unsigned __int32 all;
85 | };
86 |
87 | union __reset_control_register
88 | {
89 | unsigned __int8 all;
90 | struct
91 | {
92 | unsigned __int8 reserved0 : 1;
93 | unsigned __int8 system_reset : 1;
94 | unsigned __int8 reset_cpu : 1;
95 | unsigned __int8 full_reset : 1;
96 | unsigned __int8 reserved1 : 4;
97 | };
98 | };
99 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/invalidators.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201)
2 | #include "invalidators.h"
3 | #include "asm\vm_intrin.h"
4 |
5 | ///
6 | /// Invept single context
7 | ///
8 | ///
9 | void invept_single_context(unsigned __int64 ept_pointer)
10 | {
11 | __invept_descriptor descriptor = { 0 };
12 | descriptor.ept_pointer = ept_pointer;
13 | descriptor.reserved = 0;
14 | __invept(INVEPT_SINGLE_CONTEXT, &descriptor);
15 | }
16 |
17 | ///
18 | /// Invept all contexts
19 | ///
20 | void invept_all_contexts()
21 | {
22 | __invept_descriptor descriptor = { 0 };
23 | __invept(INVEPT_ALL_CONTEXTS, &descriptor);
24 | }
25 |
26 | ///
27 | /// Invvpid invidual address
28 | ///
29 | /// Logical processor invalidates mappings for the linear address
30 | /// Invalidates entries in the TLBs and paging-structure caches based on this vpid
31 | void invvpid_invidual_address(unsigned __int64 linear_address,unsigned __int8 vpid)
32 | {
33 | __invvpid_descriptor descriptor = { 0 };
34 | descriptor.linear_address = linear_address;
35 | descriptor.vpid = vpid;
36 |
37 | __invvpid(INVVPID_INVIDUAL_ADDRESS,&descriptor);
38 | }
39 |
40 | ///
41 | /// Invvpid single context
42 | ///
43 | /// Invalidates entries in the TLBs and paging-structure caches based on this vpid
44 | void invvpid_single_context(unsigned __int8 vpid)
45 | {
46 | __invvpid_descriptor descriptor = { 0 };
47 | descriptor.vpid = vpid;
48 |
49 | __invvpid(INVVPID_SINGLE_CONTEXT, &descriptor);
50 | }
51 |
52 | ///
53 | /// Invvpid all contexts
54 | ///
55 | void invvpid_all_contexts()
56 | {
57 | __invvpid_descriptor descriptor = { 0 };
58 | __invvpid(INVVPID_ALL_CONTEXTS, &descriptor);
59 | }
60 |
61 | ///
62 | /// Invvpid single context except global translations
63 | ///
64 | /// Invalidates entries in the TLBs and paging-structure caches based on this vpid
65 | void invvpid_single_context_except_global_translations(unsigned __int8 vpid)
66 | {
67 | __invvpid_descriptor descriptor = { 0 };
68 | descriptor.vpid = vpid;
69 | return __invvpid(INVVPID_SINGLE_EXCEPT_GLOBAL_TRANSLATIONS, &descriptor);
70 | }
71 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/invalidators.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | struct __invept_descriptor
5 | {
6 | unsigned __int64 ept_pointer;
7 | unsigned __int64 reserved;
8 | };
9 |
10 | struct __invpcid_descriptor
11 | {
12 | unsigned __int64 pcid : 12;
13 | unsigned __int64 reserved : 52;
14 | unsigned __int64 linear_address;
15 | };
16 |
17 | struct __invvpid_descriptor
18 | {
19 | union
20 | {
21 | unsigned __int64 vpid : 16;
22 | unsigned __int64 reserved : 48;
23 | };
24 |
25 | unsigned __int64 linear_address;
26 | };
27 |
28 | enum invept_type
29 | {
30 | INVEPT_SINGLE_CONTEXT = 0x00000001,
31 | INVEPT_ALL_CONTEXTS = 0x00000002
32 | };
33 |
34 | enum invvpid_type
35 | {
36 | INVVPID_INVIDUAL_ADDRESS,
37 | INVVPID_SINGLE_CONTEXT,
38 | INVVPID_ALL_CONTEXTS,
39 | INVVPID_SINGLE_EXCEPT_GLOBAL_TRANSLATIONS
40 | };
41 |
42 | enum invpcid_type
43 | {
44 | INVPCID_INVIDUAL_ADDRESS,
45 | INVPCID_SINGLE_CONTEXT,
46 | INVPCID_ALL_CONTEXTS,
47 | INVPCID_ALL_CONTEXTS_EXCEPT_GLOBAL_TRANSLATIONS
48 | };
49 |
50 | ///
51 | /// Invept single context
52 | ///
53 | ///
54 | void invept_single_context(unsigned __int64 ept_pointer);
55 |
56 | ///
57 | /// Invept all contexts
58 | ///
59 | void invept_all_contexts();
60 |
61 | ///
62 | /// Invvpid invidual address
63 | ///
64 | /// Logical processor invalidates mappings for the linear address
65 | /// Invalidates entries in the TLBs and paging-structure caches based on this vpid
66 | void invvpid_invidual_address(unsigned __int64 linear_address, unsigned __int8 vpid);
67 |
68 | ///
69 | /// Invvpid single context
70 | ///
71 | /// Invalidates entries in the TLBs and paging-structure caches based on this vpid
72 | void invvpid_single_context(unsigned __int8 vpid);
73 |
74 | ///
75 | /// Invvpid all contexts
76 | ///
77 | void invvpid_all_contexts();
78 |
79 | ///
80 | /// Invvpid single context except global translations
81 | ///
82 | /// Invalidates entries in the TLBs and paging-structure caches based on this vpid
83 | void invvpid_single_context_except_global_translations(unsigned __int8 vpid);
84 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/log.cpp:
--------------------------------------------------------------------------------
1 | #define _NO_CRT_STDIO_INLINE
2 | #include
3 | #include
4 | #include
5 | #include "log.h"
6 |
7 | void LogPrint(__log_type type, const char* fmt, ...)
8 | {
9 | char* LogType = NULL;
10 | LARGE_INTEGER SystemTime = {};
11 | LARGE_INTEGER LocalTime = {};
12 | TIME_FIELDS TimeFields = {};
13 | char TimeBuffer[20] = {};
14 | char MessageBuffer[412] = {};
15 | char* OutputFormat = NULL;
16 | char OutputBuffer[512] = {};
17 | va_list Args = {};
18 |
19 | switch (type)
20 | {
21 | case LOG_TYPE_DEBUG:
22 | {
23 | LogType = "[DEBUG]";
24 | break;
25 | }
26 | case LOG_TYPE_DUMP:
27 | {
28 | LogType = "[DUMP]";
29 | break;
30 | }
31 | case LOG_TYPE_ERROR:
32 | {
33 | LogType = "[ERROR]";
34 | ; break;
35 | }
36 | case LOG_TYPE_INFO:
37 | {
38 | LogType = "[INFORMATION]";
39 | break;
40 | }
41 | default:
42 | {
43 | break;
44 | }
45 |
46 | }
47 |
48 | KeQuerySystemTime(&SystemTime);
49 | ExSystemTimeToLocalTime(&SystemTime, &LocalTime);
50 | RtlTimeToTimeFields(&LocalTime, &TimeFields);
51 |
52 | RtlStringCchPrintfA(
53 | TimeBuffer,
54 | sizeof(TimeBuffer),
55 | "[%02hd:%02hd:%02hd.%03hd]",
56 | TimeFields.Hour,
57 | TimeFields.Minute,
58 | TimeFields.Second,
59 | TimeFields.Milliseconds);
60 |
61 | va_start(Args, fmt);
62 | RtlStringCchVPrintfA(MessageBuffer, sizeof(MessageBuffer), fmt, Args);
63 | va_end(Args);
64 |
65 | OutputFormat = "%s %s %s\r\n";
66 |
67 | RtlStringCchPrintfA(
68 | OutputBuffer,
69 | sizeof(OutputBuffer),
70 | OutputFormat,
71 | TimeBuffer,
72 | LogType,
73 | MessageBuffer);
74 |
75 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "%s", OutputBuffer);
76 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/log.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define LogError(format, ...) \
3 | LogPrint(LOG_TYPE_ERROR," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
4 | #define LogDebug(format, ...) \
5 | LogPrint(LOG_TYPE_DEBUG," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
6 | #define LogDump(format, ...) \
7 | LogPrint(LOG_TYPE_DUMP," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
8 | #define LogInfo(format, ...) \
9 | LogPrint(LOG_TYPE_INFO," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
10 |
11 | enum __log_type
12 | {
13 | LOG_TYPE_DEBUG,
14 | LOG_TYPE_ERROR,
15 | LOG_TYPE_DUMP,
16 | LOG_TYPE_INFO
17 | };
18 |
19 | void LogPrint(__log_type type, const char* fmt, ...);
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/main.cpp:
--------------------------------------------------------------------------------
1 | #pragma warning( disable : 4201 4805)
2 | #include
3 | #include
4 | #include "log.h"
5 | #include "ntapi.h"
6 | #include "hypervisor_routines.h"
7 | #include "hypervisor_gateway.h"
8 | #include "vmm.h"
9 |
10 | #define IOCTL_POOL_MANAGER_ALLOCATE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x900, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
11 |
12 | __vmm_context* g_vmm_context = 0;
13 |
14 | VOID driver_unload(PDRIVER_OBJECT driver_object)
15 | {
16 | UNICODE_STRING dos_device_name;
17 | if(g_vmm_context != NULL)
18 | {
19 | if (g_vmm_context->vcpu_table[0]->vcpu_status.vmm_launched == true)
20 | {
21 | hvgt::ept_unhook();
22 | hvgt::vmoff();
23 | }
24 | }
25 |
26 | hv::disable_vmx_operation();
27 | free_vmm_context();
28 |
29 | RtlInitUnicodeString(&dos_device_name, L"\\DosDevices\\airhv");
30 | IoDeleteSymbolicLink(&dos_device_name);
31 | IoDeleteDevice(driver_object->DeviceObject);
32 | }
33 |
34 | NTSTATUS driver_create_close(_In_ PDEVICE_OBJECT device_object, _In_ PIRP irp)
35 | {
36 | UNREFERENCED_PARAMETER(device_object);
37 |
38 | irp->IoStatus.Status = STATUS_SUCCESS;
39 | irp->IoStatus.Information = 0;
40 |
41 | IoCompleteRequest(irp, IO_NO_INCREMENT);
42 |
43 | return STATUS_SUCCESS;
44 | }
45 |
46 | NTSTATUS driver_ioctl_dispatcher(_In_ PDEVICE_OBJECT device_object, _In_ PIRP irp)
47 | {
48 | UNREFERENCED_PARAMETER(device_object);
49 | unsigned __int32 bytes_io = 0;
50 | PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp);
51 | NTSTATUS status = STATUS_SUCCESS;
52 |
53 | switch (stack->Parameters.DeviceIoControl.IoControlCode)
54 | {
55 | //
56 | // Used by hypervisor control driver to perform allocations
57 | //
58 | case IOCTL_POOL_MANAGER_ALLOCATE:
59 | {
60 | status = pool_manager::perform_allocation();
61 | break;
62 | }
63 | }
64 |
65 | irp->IoStatus.Status = status;
66 | irp->IoStatus.Information = bytes_io;
67 |
68 | IoCompleteRequest(irp, IO_NO_INCREMENT);
69 | return status;
70 | }
71 |
72 | extern "C"
73 | NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PCUNICODE_STRING reg)
74 | {
75 | UNREFERENCED_PARAMETER(reg);
76 |
77 | NTSTATUS status = STATUS_SUCCESS;
78 | PDEVICE_OBJECT device_object = NULL;
79 | UNICODE_STRING driver_name, dos_device_name;
80 |
81 | RtlInitUnicodeString(&driver_name, L"\\Device\\airhv");
82 | RtlInitUnicodeString(&dos_device_name, L"\\DosDevices\\airhv");
83 |
84 | status = IoCreateDevice(driver_object, 0, &driver_name, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &device_object);
85 |
86 | if (status == STATUS_SUCCESS)
87 | {
88 | driver_object->MajorFunction[IRP_MJ_CLOSE] = driver_create_close;
89 | driver_object->MajorFunction[IRP_MJ_CREATE] = driver_create_close;
90 | driver_object->MajorFunction[IRP_MJ_DEVICE_CONTROL] = driver_ioctl_dispatcher;
91 |
92 | driver_object->DriverUnload = driver_unload;
93 | driver_object->Flags |= DO_BUFFERED_IO;
94 | IoCreateSymbolicLink(&dos_device_name, &driver_name);
95 | }
96 |
97 | //
98 | // Check if our cpu support virtualization
99 | //
100 | if (!hv::virtualization_support()) {
101 | LogError("VMX operation is not supported on this processor.\n");
102 | return STATUS_FAILED_DRIVER_ENTRY;
103 | }
104 |
105 | //
106 | // Initialize and start virtual machine
107 | // If it fails turn off vmx and deallocate all structures
108 | //
109 | if(vmm_init() == false)
110 | {
111 | hv::disable_vmx_operation();
112 | free_vmm_context();
113 | LogError("Vmm initialization failed");
114 | return STATUS_FAILED_DRIVER_ENTRY;
115 | }
116 |
117 | return status;
118 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/ntapi.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | struct __nt_kprocess
5 | {
6 | DISPATCHER_HEADER Header; //0x0
7 | LIST_ENTRY ProfileListHead; //0x18
8 | ULONGLONG DirectoryTableBase;
9 | };
10 |
11 | extern "C"
12 | {
13 | void NTAPI KeGenericCallDpc(_In_ PKDEFERRED_ROUTINE Routine, PVOID Context);
14 | void NTAPI KeSignalCallDpcDone(_In_ PVOID SystemArgument1);
15 | BOOLEAN NTAPI KeSignalCallDpcSynchronize(_In_ PVOID SystemArgument2);
16 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/poolmanager.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | namespace pool_manager
5 | {
6 | enum allocation_intention
7 | {
8 | INTENTION_NONE,
9 | INTENTION_TRACK_HOOKED_PAGES,
10 | INTENTION_EXEC_TRAMPOLINE,
11 | INTENTION_SPLIT_PML2,
12 | INTENTION_TRACK_HOOKED_FUNCTIONS
13 | };
14 |
15 | struct __request_new_allocation
16 | {
17 | unsigned __int64 size[10];
18 | unsigned __int32 count[10];
19 | allocation_intention intention[10];
20 | };
21 |
22 | struct __pool_manager
23 | {
24 | __request_new_allocation* allocation_requests;
25 | PLIST_ENTRY list_of_allocated_pools;
26 | volatile long lock_for_request_allocation;
27 | volatile long lock_for_reading_pool;
28 | bool is_request_for_allocation_recived;
29 | };
30 |
31 | struct __pool_table
32 | {
33 | void* address;
34 | unsigned __int64 size;
35 | allocation_intention intention;
36 | LIST_ENTRY pool_list;
37 | bool is_busy;
38 | bool recycled;
39 | };
40 |
41 | ///
42 | /// Writes all information about allocated pools
43 | ///
44 | void dump_pools_info();
45 |
46 | ///
47 | /// Request allocation
48 | ///
49 | /// Size of pool
50 | /// Number of pools to allocate
51 | ///
52 | ///
53 | bool request_allocation(unsigned __int64 size, unsigned __int32 count, allocation_intention intention);
54 |
55 | ///
56 | /// Initalize pool manager struct and preallocate pools
57 | ///
58 | /// status
59 | bool initialize();
60 |
61 | ///
62 | /// Free all allocted pools
63 | ///
64 | void uninitialize();
65 |
66 | ///
67 | /// Set information that pool is no longer used by anyone and mark as recycled
68 | ///
69 | ///
70 | void release_pool(void* address);
71 |
72 | ///
73 | /// Allocate all requested pools
74 | ///
75 | ///
76 | bool perform_allocation();
77 |
78 | ///
79 | /// Returns pre allocated pool and request new one for allocation
80 | ///
81 | /// Indicates what will be pool used for
82 | /// If set new pool will (with same properties) be requested to allocate
83 | /// Only if new_pool is true. Size of new pool
84 | ///
85 | template
86 | T request_pool(allocation_intention intention, bool new_pool, unsigned __int64 size)
87 | {
88 | PLIST_ENTRY current = 0;
89 | void* address = 0;
90 | bool is_recycled = false;
91 | __pool_table* pool_table;
92 | current = g_vmm_context->pool_manager->list_of_allocated_pools;
93 |
94 | spinlock::lock(&g_vmm_context->pool_manager->lock_for_reading_pool);
95 |
96 | while (g_vmm_context->pool_manager->list_of_allocated_pools != current->Flink)
97 | {
98 | current = current->Flink;
99 |
100 | // Get the head of the record
101 | pool_table = (__pool_table*)CONTAINING_RECORD(current, __pool_table, pool_list);
102 |
103 | if (pool_table->intention == intention && pool_table->is_busy == false)
104 | {
105 | pool_table->is_busy = true;
106 | is_recycled = pool_table->recycled;
107 | address = pool_table->address;
108 | break;
109 | }
110 | }
111 |
112 | spinlock::unlock(&g_vmm_context->pool_manager->lock_for_reading_pool);
113 |
114 | //
115 | // If pool which we got is recycled then we don't allocate
116 | // a new one because we don't want to overload memory, If there wasn't any preallocated pool
117 | // this function will send a request
118 | //
119 | if (new_pool == true && is_recycled == false)
120 | request_allocation(size, 1, intention);
121 |
122 | return (T)address;
123 | }
124 | }
125 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/spinlock.cpp:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | namespace spinlock
4 | {
5 | // This implementation is derived from Hvpp by Petr Benes
6 | // - https://github.com/wbenny/hvpp
7 | // Based on my benchmarks, this simple implementation beats other (often
8 | // more complex) spinlock implementations - such as queue spinlocks, ticket
9 | // spinlocks, MCS locks. The only difference between this implementation
10 | // and completely naive spinlock is the "backoff".
11 | //
12 | // Also, benefit of this implementation is that we can use it with
13 | // STL lock guards, e.g.: std::lock_guard.
14 | //
15 | // Look here for more information:
16 | // - https://locklessinc.com/articles/locks/
17 | // - https://github.com/cyfdecyf/spinlock
18 |
19 | static unsigned max_wait = 65536;
20 |
21 | bool try_lock(volatile long* lock_)
22 | {
23 | return (!(*lock_) && !_interlockedbittestandset(lock_, 0));
24 | }
25 |
26 | void lock(volatile long* lock_)
27 | {
28 | unsigned __int32 wait = 1;
29 |
30 | while (!try_lock(lock_))
31 | {
32 | for (unsigned __int32 i = 0; i < wait; ++i)
33 | {
34 | _mm_pause();
35 | }
36 |
37 | // Don't call "pause" too many times. If the wait becomes too big,
38 | // clamp it to the max_wait.
39 |
40 | if (wait * 2 > max_wait)
41 | {
42 | wait = max_wait;
43 | }
44 | else
45 | {
46 | wait = wait * 2;
47 | }
48 | }
49 | }
50 |
51 | void unlock(volatile long* lock_)
52 | {
53 | *lock_ = 0;
54 | }
55 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/vmcall_handler.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | struct __vmcall_hook_page
4 | {
5 | void* target_adress;
6 | void* hook_function;
7 | void** origin_adress;
8 | void* code_cave;
9 | unsigned __int8 protection_mask;
10 | bool swap_context;
11 | };
12 |
13 | struct __vmcall_unhook_page
14 | {
15 | unsigned __int64 physical_adress;
16 | bool unhook_all;
17 | };
18 |
19 | struct __vmcall_hook_msr_lstar
20 | {
21 | unsigned __int64 new_lstar_value;
22 | };
23 |
24 | struct __vmcall_invept
25 | {
26 | bool invept_all_context;
27 | };
28 |
29 | void restore_segment_registers();
30 | void call_vmxoff(__vcpu* vcpu);
31 | //void vmcall_operations(__vmexit_guest_registers_t* guest_regs);
32 | void vmexit_vmcall_handler(__vcpu* vcpu);
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/vmcall_reason.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | enum vm_call_reasons
3 | {
4 | VMCALL_TEST,
5 | VMCALL_VMXOFF,
6 | VMCALL_EPT_HOOK_FUNCTION,
7 | VMCALL_EPT_UNHOOK_FUNCTION,
8 | VMCALL_INVEPT_CONTEXT,
9 | VMCALL_DUMP_POOL_MANAGER,
10 | VMCALL_DUMP_VMCS_STATE,
11 | VMCALL_HIDE_HV_PRESENCE,
12 | VMCALL_UNHIDE_HV_PRESENCE
13 | };
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/vmcs.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/airhv/airhv-main/airhv/vmcs.cpp
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/vmexit_handler.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/airhv/airhv-main/airhv/vmexit_handler.cpp
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/vmm.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | ///
3 | /// Initialize and launch vmm
4 | ///
5 | /// status
6 | bool vmm_init();
7 |
8 | ///
9 | /// Deallocate all structures
10 | ///
11 | void free_vmm_context();
--------------------------------------------------------------------------------
/airhv/airhv-main/airhv/xsave.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | union __xcomp_bv
3 | {
4 | unsigned __int64 all;
5 | struct
6 | {
7 | unsigned __int64 reserved1 : 63;
8 | unsigned __int64 fromat : 1;
9 | };
10 | };
11 |
12 | union __xstate_bv
13 | {
14 | unsigned __int64 all;
15 | struct
16 | {
17 | unsigned __int64 x87state : 1;
18 | unsigned __int64 sse_state : 1;
19 | unsigned __int64 avx_state : 1;
20 | unsigned __int64 bndregs_state : 1;
21 | unsigned __int64 bndcsr_state : 1;
22 | unsigned __int64 opmask_state : 1;
23 | unsigned __int64 zmm_hi256_state : 1;
24 | unsigned __int64 hi16_zmm_state : 1;
25 | unsigned __int64 pt_state : 1;
26 | unsigned __int64 pkru_state : 1;
27 | unsigned __int64 reserved1 : 1;
28 | unsigned __int64 cet_u_state : 1;
29 | unsigned __int64 cet_s_state : 1;
30 | unsigned __int64 hdc_state : 1;
31 | unsigned __int64 reserved2 : 2;
32 | unsigned __int64 hwp_state : 1;
33 | unsigned __int64 reserved3 : 46;
34 | unsigned __int64 special : 1;
35 | };
36 | };
37 |
38 | struct __xsave_header
39 | {
40 | __xstate_bv xstate_bv;
41 | __xcomp_bv xcomp_bv;
42 | unsigned __int64 reserved[6];
43 | };
--------------------------------------------------------------------------------
/airhv/airhv-main/airhvctrl/airhvctrl.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 | {8E41214B-6785-4CFE-B992-037D68949A14}
18 | inf;inv;inx;mof;mc;
19 |
20 |
21 |
22 |
23 | Source Files
24 |
25 |
26 | Source Files
27 |
28 |
29 | Source Files
30 |
31 |
32 | Source Files
33 |
34 |
35 |
36 |
37 | Source Files
38 |
39 |
40 |
41 |
42 | Header Files
43 |
44 |
45 | Header Files
46 |
47 |
48 | Header Files
49 |
50 |
51 | Header Files
52 |
53 |
54 |
--------------------------------------------------------------------------------
/airhv/airhv-main/airhvctrl/hypervisor_gateway.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | namespace hvgt
4 | {
5 | ///
6 | /// Turn off virtual machine
7 | ///
8 | void vmoff();
9 |
10 | ///
11 | /// Invalidates mappings in the translation lookaside buffers (TLBs)
12 | /// and paging-structure caches that were derived from extended page tables (EPT)
13 | ///
14 | /// If true invalidates all contexts otherway invalidate only single context (currently hv doesn't use more than 1 context)
15 | void invept(bool invept_all);
16 |
17 | ///
18 | /// Set/Unset presence of hypervisor
19 | ///
20 | /// If false, hypervisor is not visible via cpuid interface, If true, it become visible
21 | void hypervisor_visible(bool value);
22 |
23 | ///
24 | /// Unhook all pages and invalidate tlb
25 | ///
26 | /// status
27 | bool unhook_all_functions();
28 |
29 | ///
30 | /// Unhook single page and invalidate tlb
31 | ///
32 | ///
33 | /// status
34 | bool unhook_function(void* function_address);
35 |
36 | ///
37 | /// Hook function via ept and invalidates mappings
38 | ///
39 | /// Address of function which we want to hook
40 | /// Address of function which is used to call original function
41 | /// Address of function which is used to call original function
42 | /// status
43 | bool hook_function(void* target_address, void* hook_function, void** origin_function);
44 |
45 | ///
46 | ///
47 | /// Hook function via ept and invalidates mappings
48 | ///
49 | /// Address of function which we want to hook
50 | /// Address of function which is used to call original function
51 | /// Address of codecave which is at least 14 bytes in size and in 2GB range of target function address
52 | /// Use only if function you want to hook uses some relatives jmps/moves in first 14 bytes
53 | /// Address of function which is used to call original function
54 | /// status
55 | bool hook_function(void* target_address, void* hook_function, void* trampoline_address, void** origin_function);
56 |
57 | ///
58 | /// Check if we can communicate with hypervisor
59 | ///
60 | /// status
61 | bool test_vmcall();
62 |
63 | ///
64 | /// Send irp with information to allocate memory
65 | ///
66 | /// status
67 | bool send_irp_perform_allocation();
68 |
69 | ///
70 | /// Dump info about allocated pools (Use Dbgview to see information)
71 | ///
72 | void dump_pool_manager();
73 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhvctrl/log.cpp:
--------------------------------------------------------------------------------
1 | #define _NO_CRT_STDIO_INLINE
2 | #include
3 | #include
4 | #include
5 | #include "log.h"
6 |
7 | void LogPrint(__log_type type, const char* fmt, ...)
8 | {
9 | char* LogType = NULL;
10 | LARGE_INTEGER SystemTime = {};
11 | LARGE_INTEGER LocalTime = {};
12 | TIME_FIELDS TimeFields = {};
13 | char TimeBuffer[20] = {};
14 | char MessageBuffer[412] = {};
15 | char* OutputFormat = NULL;
16 | char OutputBuffer[512] = {};
17 | va_list Args = {};
18 |
19 | switch (type)
20 | {
21 | case LOG_TYPE_DEBUG:
22 | {
23 | LogType = "[DEBUG]";
24 | break;
25 | }
26 | case LOG_TYPE_DUMP:
27 | {
28 | LogType = "[DUMP]";
29 | break;
30 | }
31 | case LOG_TYPE_ERROR:
32 | {
33 | LogType = "[ERROR]";
34 | ; break;
35 | }
36 | case LOG_TYPE_INFO:
37 | {
38 | LogType = "[INFORMATION]";
39 | break;
40 | }
41 | default:
42 | {
43 | break;
44 | }
45 |
46 | }
47 |
48 | KeQuerySystemTime(&SystemTime);
49 | ExSystemTimeToLocalTime(&SystemTime, &LocalTime);
50 | RtlTimeToTimeFields(&LocalTime, &TimeFields);
51 |
52 | RtlStringCchPrintfA(
53 | TimeBuffer,
54 | sizeof(TimeBuffer),
55 | "[%02hd:%02hd:%02hd.%03hd]",
56 | TimeFields.Hour,
57 | TimeFields.Minute,
58 | TimeFields.Second,
59 | TimeFields.Milliseconds);
60 |
61 | va_start(Args, fmt);
62 | RtlStringCchVPrintfA(MessageBuffer, sizeof(MessageBuffer), fmt, Args);
63 | va_end(Args);
64 |
65 | OutputFormat = "%s %s %s\r\n";
66 |
67 | RtlStringCchPrintfA(
68 | OutputBuffer,
69 | sizeof(OutputBuffer),
70 | OutputFormat,
71 | TimeBuffer,
72 | LogType,
73 | MessageBuffer);
74 |
75 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "%s", OutputBuffer);
76 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhvctrl/log.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define LogError(format, ...) \
3 | LogPrint(LOG_TYPE_ERROR," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
4 | #define LogDebug(format, ...) \
5 | LogPrint(LOG_TYPE_DEBUG," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
6 | #define LogDump(format, ...) \
7 | LogPrint(LOG_TYPE_DUMP," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
8 | #define LogInfo(format, ...) \
9 | LogPrint(LOG_TYPE_INFO," [%s:%d] " format , __func__, __LINE__, __VA_ARGS__)
10 |
11 | enum __log_type
12 | {
13 | LOG_TYPE_DEBUG,
14 | LOG_TYPE_ERROR,
15 | LOG_TYPE_DUMP,
16 | LOG_TYPE_INFO
17 | };
18 |
19 | void LogPrint(__log_type type, const char* fmt, ...);
--------------------------------------------------------------------------------
/airhv/airhv-main/airhvctrl/nt.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | typedef enum _SYSTEM_INFORMATION_CLASS
5 | {
6 | SystemBasicInformation = 0,
7 | SystemPerformanceInformation = 2,
8 | SystemTimeOfDayInformation = 3,
9 | SystemProcessInformation = 5,
10 | SystemExtendedProcessInformation = 6,
11 | SystemProcessorPerformanceInformation = 8,
12 | SystemModuleInformation = 11,
13 | SystemInterruptInformation = 23,
14 | SystemExceptionInformation = 33,
15 | SystemKernelDebuggerInformation = 35,
16 | SystemRegistryQuotaInformation = 37,
17 | SystemLookasideInformation = 45,
18 | SystemFullProcessInformation = 148
19 | } SYSTEM_INFORMATION_CLASS;
20 |
21 | extern "C"
22 | {
23 | NTKERNELAPI NTSTATUS NTAPI ZwQuerySystemInformation
24 | (
25 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
26 | OUT PVOID SystemInformation,
27 | IN ULONG SystemInformationLength,
28 | OUT PULONG ReturnLength OPTIONAL
29 | );
30 | }
31 |
32 | typedef struct _SYSTEM_MODULE_ENTRY {
33 | HANDLE Section;
34 | PVOID MappedBase;
35 | PVOID ImageBase;
36 | ULONG ImageSize;
37 | ULONG Flags;
38 | USHORT LoadOrderIndex;
39 | USHORT InitOrderIndex;
40 | USHORT LoadCount;
41 | USHORT OffsetToFileName;
42 | UCHAR FullPathName[256];
43 | } SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
44 |
45 | typedef struct _SYSTEM_MODULE {
46 | PVOID Reserved1;
47 | PVOID Reserved2;
48 | PVOID ImageBaseAddress;
49 | ULONG ImageSize;
50 | ULONG Flags;
51 | unsigned short Id;
52 | unsigned short Rank;
53 | unsigned short Unknown;
54 | unsigned short NameOffset;
55 | unsigned char Name[MAXIMUM_FILENAME_LENGTH];
56 | } SYSTEM_MODULE, * PSYSTEM_MODULE;
57 |
58 | typedef struct _SYSTEM_MODULE_INFORMATION {
59 | ULONG ModulesCount;
60 | SYSTEM_MODULE_ENTRY Modules[1];
61 | ULONG Count;
62 | SYSTEM_MODULE Sys_Modules[1];
63 | } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
--------------------------------------------------------------------------------
/airhv/airhv-main/airhvctrl/utils.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include "nt.h"
4 |
5 | #define NUMBER_OF_CODE_CAVES 10
6 |
7 | void* kernel_code_caves[NUMBER_OF_CODE_CAVES] = { 0 };
8 |
9 | bool get_kernel_module(const char* name, unsigned __int64& image_size, void*& image_base)
10 | {
11 | ULONG bytes;
12 | NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, 0, &bytes);
13 | PSYSTEM_MODULE_INFORMATION mods = (PSYSTEM_MODULE_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, bytes, 'xxxx');
14 |
15 | RtlSecureZeroMemory(mods, bytes);
16 |
17 | status = ZwQuerySystemInformation(SystemModuleInformation, mods, bytes, &bytes);
18 | if (NT_SUCCESS(status) == FALSE)
19 | {
20 | ExFreePoolWithTag(mods, 'xxxx');
21 | return FALSE;
22 | }
23 |
24 | PSYSTEM_MODULE_ENTRY mod = mods->Modules;
25 | for (ULONG i = 0; i < mods->ModulesCount; i++)
26 | {
27 | if (strstr((const char*)mod[i].FullPathName, name) != 0)
28 | {
29 | if (mod[i].ImageSize != 0)
30 | {
31 | image_size = mod[i].ImageSize;
32 | image_base = mod[i].ImageBase;
33 | ExFreePoolWithTag(mods, 'xxxx');
34 | return true;
35 | }
36 | }
37 | }
38 |
39 | ExFreePoolWithTag(mods, 'xxxx');
40 | return false;
41 | }
42 |
43 | bool find_code_caves()
44 | {
45 | unsigned __int64 kernel_text_section_size = 0;
46 | void* kernel_text_section_base = 0;
47 |
48 | if (get_kernel_module("ntoskrnl.exe", kernel_text_section_size, kernel_text_section_base) == false)
49 | return false;
50 |
51 | kernel_text_section_base = (void*)((unsigned __int64)kernel_text_section_base + 0x1000);
52 |
53 | unsigned __int64 kernel_code_cave_index = 0;
54 | unsigned __int64 kernel_code_cave_size = 0;
55 |
56 | for (unsigned __int64 memory_location = (unsigned __int64)kernel_text_section_base; memory_location < kernel_text_section_size, kernel_code_cave_index < NUMBER_OF_CODE_CAVES; memory_location++)
57 | {
58 | *(unsigned __int8*)memory_location == 0xCC ? kernel_code_cave_size++ : kernel_code_cave_size = 0;
59 |
60 | if (kernel_code_cave_size == 14)
61 | {
62 | if (PAGE_ALIGN(memory_location) != PAGE_ALIGN(memory_location - 13))
63 | continue;
64 |
65 | kernel_code_caves[kernel_code_cave_index] = (void*)(memory_location - 13);
66 | kernel_code_cave_index++;
67 | }
68 | }
69 |
70 | return TRUE;
71 | }
--------------------------------------------------------------------------------
/airhv/airhv-main/airhvctrl/utils.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | bool find_code_caves();
--------------------------------------------------------------------------------
/airhv/airhv-main/airhvctrl/vmintrin.asm:
--------------------------------------------------------------------------------
1 | .CODE
2 |
3 | __vm_call proc
4 | mov rax,0CDAEFAEDBBAEBEEFh
5 | vmcall
6 | ret
7 | __vm_call endp
8 |
9 | __vm_call_ex proc
10 | mov rax,0CDAEFAEDBBAEBEEFh ; Our vmcall indentitifer
11 |
12 | sub rsp, 30h
13 | mov qword ptr [rsp], r10
14 | mov qword ptr [rsp + 8h], r11
15 | mov qword ptr [rsp + 10h], r12
16 | mov qword ptr [rsp + 18h], r13
17 | mov qword ptr [rsp + 20h], r14
18 | mov qword ptr [rsp + 28h], r15
19 |
20 | mov r10, qword ptr [rsp + 58h]
21 | mov r11, qword ptr [rsp + 60h]
22 | mov r12, qword ptr [rsp + 68h]
23 | mov r13, qword ptr [rsp + 70h]
24 | mov r14, qword ptr [rsp + 78h]
25 | mov r15, qword ptr [rsp + 80h]
26 |
27 | vmcall
28 | mov r10, qword ptr [rsp]
29 | mov r11, qword ptr [rsp + 8h]
30 | mov r12, qword ptr [rsp + 10h]
31 | mov r13, qword ptr [rsp + 18h]
32 | mov r14, qword ptr [rsp + 20h]
33 | mov r15, qword ptr [rsp + 28h]
34 | add rsp, 30h
35 |
36 | ret
37 | __vm_call_ex endp
38 |
39 | END
--------------------------------------------------------------------------------
/airhv/airhv.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/airhv/airhv.txt
--------------------------------------------------------------------------------
/vtDebugger.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zxd1994/vt-debuuger/ddc961da11caf17447fe45d3e1125b1d54d5d057/vtDebugger.zip
--------------------------------------------------------------------------------