!hide (enable transparent-mode)
Description of the '!hide' command in HyperDbg.
!hide
!hide [pid ProcessId (hex)]!hide [name ProcessName (string)]
Enables the transparent-mode of HyperDbg for anti-debugging and anti-hypervisor methods. This option only works for the processes selected by you and won't be applied to all the processes.
You can use this command multiple times.
This command is case-sensitive for the
name
parameter.[pid ProcessId (hex)]
Process Id of the process that you want to make HyperDbg transparent for it.
[name ProcessName (string)]
Name of the process that you want to make HyperDbg transparent for it.
You should append
.exe
to your process names.If you want to hide HyperDbg for process id 2a78.
HyperDbg> !hide pid 2a78
If you want to hide HyperDbg for all the processes that their process names start with
procexp.exe
.HyperDbg> !hide name procexp.exe
You should send the
IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER
IOCTL to enable or disable transparent-mode.The following structure shows whether enable or disable it.
IsHide = TRUE
: Enable transparent-mode.CpuidAverage
, CpuidStandardDeviation
, CpuidMedian
can be computed by using theTransparentModeCheckHypervisorPresence
function.RdtscAverage
, RdtscStandardDeviation
, RdtscMedian
can be computed by using the TransparentModeCheckRdtscpVmexit
function.TrueIfProcessIdAndFalseIfProcessName
if this field is TRUE
then you should fill the ProcId
with the process id that you need to transparent HyperDbg for that process.Otherwise, if you want to use a process name (not process ID), then you should set the
TrueIfProcessIdAndFalseIfProcessName
to FALSE
and append the process name (string) to the bottom of this structure and put the string size + 1 (null terminator) to the LengthOfProcessName
.Then you should send the
sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE)+ProcessNameStringSize
as the input size of DeviceIoControl
.typedef struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE {
BOOLEAN IsHide;
UINT64 CpuidAverage;
UINT64 CpuidStandardDeviation;
UINT64 CpuidMedian;
UINT64 RdtscAverage;
UINT64 RdtscStandardDeviation;
UINT64 RdtscMedian;
BOOLEAN TrueIfProcessIdAndFalseIfProcessName;
UINT32 ProcId;
UINT32 LengthOfProcessName; // in the case of !hide name xxx, this parameter
// shows the length of xxx
UINT64 KernelStatus; /* DEBUGEER_OPERATION_WAS_SUCCESSFULL ,
DEBUGEER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
*/
} DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE,
*PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE;
If the results were successful, then the kernel sends the
DEBUGEER_OPERATION_WAS_SUCCESSFULL
to user-mode as KernelStatus
in the above structure, and if it was unsuccessful, then it sendsDEBUGEER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
which is an indicator of error.You can send the above structure multiple times if you want to hide multiple processes.
This command will not guarantee to provide 100% transparency, especially in nested-virtualization environments.
HyperDbg will protect you from user-mode anti-hypervisor methods by making vm-exits transparent even in a nested-virtualization environment; however, there are other traces for anti-VMware, anti-VirtualBox, etc. methods and these methods are still problematic because, HyperDbg tries to hide itself from anti-debugging and anti-hypervisor methods and it won't hide VMware, VirtualBox, etc. thus, you need to run this command in a physical-machine (not in a nested-virtualization environment); otherwise you should find other traces for virtual machine software and solve those traces by yourself (e.g., hooking anti-VMware APIs and Queries).
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
None
Last modified 10mo ago