HyperHide

Table of Contents

• Description
• Compilation
• Support
• Usage Information
• Examples
• Features
  • 1. Process Environment Block (PEB)
  • 2. Heap Flags
  • 3. Process Flags
  • 4. Thread Flags
  • 5. KUserSharedData
  • 6. KiExceptionDisptach
  • 7. NtQueryInformationProcess
  • 8. NtQueryInformationThread
  • 9. NtQueryInformationJobObject
  • 10. NtQueryObject
  • 11. NtQuerySystemInformation
  • 12. NtQuerySystemTime
  • 13. NtQueryPerformanceCounter
  • 14. NtSetInformationThread
  • 15. NtSetInformationProcess
  • 16. NtSystemDebugControl
  • 17. NtClose
  • 18. NtSetContextThread
  • 19. NtGetContextThread
  • 20. NtCreateThreadEx
  • 21. NtCreateProcessEx
  • 22. NtCreateUserProcess
  • 23. NtCreateFile
  • 24. NtYieldExecution
  • 25. NtOpenProcess
  • 26. NtOpenThread
  • 27. NtGetNextProcess
  • 28. NtContinue
  • 29. NtUserFindWindowEx
  • 30. NtUserGetForegroundWindow
  • 31. NtUserQueryWindow
  • 32. NtUserBuildHwndList
• Remarks
• License
• Special thanks to

Description

HyperHide is open-source hypervisor based Anti-Anti-Debug plugin for x64dbg/x32dbg. HyperHide uses Intel ept to hook various syscalls and also other functions which can be used to spot the presence of debugger.

Compilation

In order to compile project you need WDK and Visual Studio 2019

Support

HyperHide supports all Windows versions from Windows 7 up to the newest version (x64 only), and works only on intel processors with VT-x and EPT support.

Usage Information

Download pre compiled binaries or compile source code yourself.

Turn on test signing mode by running below command in cmd with administrator rights (after turning on restart system)

bcdedit /set testsigning on

Put HyperHideDrv.sys and airhv.sys to C:\Windows\System32\drivers then open Scripts folder in repository and execute create.bat with administrator rights. In order to turn on both drivers execute on.bat with administrator rights. If you want to turn off both airhv and HyperHideDrv execute off.bat with administrator rights (remember to turn off all x64dbg/x32dbg instances before turning off drivers).

32-bit: Copy HyperHide.ini and HyperHide.dp32 to your \x32\plugins\ directory.

64-bit: Copy HyperHide.ini and HyperHide.dp64 to your \x64\plugins\ directory.

To check if HyperHide is working correctly, use DebugView.

Examples

Output from al-khaser 64 bit:

Output from al-khaser 32 bit:

Features

1. Process Environment Block (PEB)

The most important anti-anti-debug option. Almost every protector checks for PEB values.

First and the most important one is BeingDebugged field in PEB. This field is set when you start process with debugger and indicates its presence.

Second is NtGlobalFlag field. It is set to 0 by deafult but when process is started by debugger the following flags are set

• FLG_HEAP_ENABLE_TAIL_CHECK (0x10)
• FLG_HEAP_ENABLE_FREE_CHECK (0x20)
• FLG_HEAP_VALIDATE_PARAMETERS (0x40)

When Clear Peb BeingDebugged checkbox is set in plugin options then everytime you start debugging HyperHideDrv will clear BeingDebugged.

When Clear Peb NtGlobalFlag checkbox is set in plugin options then everytime you start debugging HyperHidDrv will clear NtGlobalFlag (Do not use if you are attaching to existing process).

2. Heap Flags

Heap contains two flags which are affected by debugger.

First is Flags field in heap which by default is set to HEAP_GROWABLE when process is started by debugger Flags is set to combination of these flags:

x86:

• HEAP_GROWABLE (2)
• HEAP_TAIL_CHECKING_ENABLED (0x20)
• HEAP_FREE_CHECKING_ENABLED (0x40)
• HEAP_SKIP_VALIDATION_CHECKS (0x10000000)
• HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

x64:

• HEAP_GROWABLE (2)
• HEAP_TAIL_CHECKING_ENABLED (0x20)
• HEAP_FREE_CHECKING_ENABLED (0x40)
• HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

Second one is ForceFlags which by default is set to 0 When process is started by debugger, ForceFlags is set to combination of these flags:

• HEAP_TAIL_CHECKING_ENABLED (0x20)
• HEAP_FREE_CHECKING_ENABLED (0x40)
• HEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000)

When Clear Heap Flags checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear set Flags and ForceFlags to their default value (Do Not use if you are attaching to existing process).

3. Process Flags

Windows uses various process flags which can be used to detect debugger or to make the debugging harder.

• First flag is BreakOnTermination. When set process termination leads to bsod

When Clear ProcessBreakOnTermination checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process EPROCESS struct and save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

• Second flag is ProcessHandleTracing. It indicates if process handle tracing is enable or not.

When Save ProcessHandleTracing checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

• Third flag is ProcessDebugFlags

When Save ProcessHandleTracing checkbox is set in plugin options then everytime you start debugging HyperHideDrv will save information if it was set or not for further use in NtQueryInformationProcess (Do Not use if you are starting process with debugger).

4. Thread Flags

Windows uses various thread flags which can be used to detect debugger or to make the debugging harder.

• First flag is ThreadHideFromDebugger. When set debugger loses control under thread.

When Clear ThreadHideFromDebugger Flag checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process thread ETHREAD struct and save information if it was set or not for further use in NtQueryInformationThread (Do Not use if you are starting process with debugger).

• Second flag is BreakOnTermination. When set thread termination leads to bsod.

When Clear ThreadBreakOnTermination checkbox is set in plugin options, then everytime you start debugging HyperHideDrv will clear this field in debugged process thread ETHREAD struct and save information if it was set or not for further use in NtQueryInformationThread (Do Not use if you are starting process with debugger).

• Third flag is BypassProcessFreeze. When set calling NtSuspendProcess will ignore all threads which have this flag set (Flag exist on Windows version 19h1 up to the newest).

When Clear BypassProcessFreeze Flag checkbox is set in plugin options then everytime you start debugging HyperHideDrv will clear this field in debugged process thread KTHREAD struct (Do Not use if you are starting process with debugger).

5. KUserSharedData

KUserShared data is global shared page between all usermode processes located always in same exact address (0x7FFE0000). KUserShared has a lot of counters which can be used to perform time attacks.

When KUserSharedData checkbox is set in plugin options then everytime you start debugging HyperHideDrv will swap pfn of process kusd with fake one. Everytime when process is paused HyperHideDrv will stop updating counters. And after resuming counter would have values derrived from kernel version of KUserShared located always in same exact addres (0xFFFFF78000000000) minus the time when they were paused.

When Clear KUserSharedData checkbox is set in plugin options then HyperHideDrv will clear KdDebuggerEnabled field (works only if usermode kusershareddata page is replaced with fake one)

6. KiExceptionDisptach

KiExceptionDisptach is kernelmode function responsible for handling exceptions. HyperHideDrv hook it to clear debug registers or to send fake debug context if it was previously set with NtSetContextThread\NtSetInformationThread\NtContinue.

When KiExceptionDisptach checkbox is set in plugin options then everytime you start debugging HyperHideDrv will hook this function

7. NtQueryInformationProcess

NtQueryInformationProcess can be called with various PROCESSINFOCLASS values to detect debugger, for example:

• ProcessDebugPort is used to retrive port number of the debugger for the process. If process is debuged this function writes -1 (0xFFFFFFFFFFFFFFFF) to buffer passed in ProcessInformation. Otherwise it writes 0 (HyperHideDrv always return 0).

• ProcessDebugObjectHandle is used to query debug object handle if there is no attached debugger function write 0 to passed buffer and return st