!hide (enable transparent-mode)
Description of the '!hide' command in HyperDbg.
!hide
!hide [pid ProcessId (hex)]!hide [name ProcessName (string)]
Enables the transparent-mode of HyperDbg for anti-debugging and anti-hypervisor methods. This option only works for the processes selected by you and won't be applied to all the processes.
You can use this command multiple times.
This command is case-sensitive for the
name parameter.[pid ProcessId (hex)]
Process Id of the process that you want to make HyperDbg transparent for it.
[name ProcessName (string)]
Name of the process that you want to make HyperDbg transparent for it.
You should append
.exe to your process names.If you want to hide HyperDbg for process id 2a78.
HyperDbg> !hide pid 2a78
If you want to hide HyperDbg for all the processes that their process names start with
procexp.exe .HyperDbg> !hide name procexp.exe
You should send the
IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER IOCTL to enable or disable transparent-mode.The following structure shows whether enable or disable it.
IsHide = TRUE : Enable transparent-mode.CpuidAverage, CpuidStandardDeviation, CpuidMedian can be computed by using theTransparentModeCheckHypervisorPresence function.RdtscAverage, RdtscStandardDeviation, RdtscMedian can be computed by using the TransparentModeCheckRdtscpVmexit function.TrueIfProcessIdAndFalseIfProcessName if this field is TRUE then you should fill the ProcId with the process id that you need to transparent HyperDbg for that process.Otherwise, if you want to use a process name (not process ID), then you should set the
TrueIfProcessIdAndFalseIfProcessName to FALSE and append the process name (string) to the bottom of this structure and put the string size + 1 (null terminator) to the LengthOfProcessName.Then you should send the
sizeof(DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE)+ProcessNameStringSize as the input size of DeviceIoControl.typedef struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE {
BOOLEAN IsHide;
UINT64 CpuidAverage;
UINT64 CpuidStandardDeviation;
UINT64 CpuidMedian;
UINT64 RdtscAverage;
UINT64 RdtscStandardDeviation;
UINT64 RdtscMedian;
BOOLEAN TrueIfProcessIdAndFalseIfProcessName;
UINT32 ProcId;
UINT32 LengthOfProcessName; // in the case of !hide name xxx, this parameter
// shows the length of xxx
UINT64 KernelStatus; /* DEBUGEER_OPERATION_WAS_SUCCESSFULL ,
DEBUGEER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
*/
} DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE,
*PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE;
If the results were successful, then the kernel sends the
DEBUGEER_OPERATION_WAS_SUCCESSFULL to user-mode as KernelStatus in the above structure, and if it was unsuccessful, then it sendsDEBUGEER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER which is an indicator of error.You can send the above structure multiple times if you want to hide multiple processes.
This command will not guarantee to provide 100% transparency, especially in nested-virtualization environments.
HyperDbg will protect you from user-mode anti-hypervisor methods by making vm-exits transparent even in a nested-virtualization environment; however, there are other traces for anti-VMware, anti-VirtualBox, etc. methods and these methods are still problematic because, HyperDbg tries to hide itself from anti-debugging and anti-hypervisor methods and it won't hide VMware, VirtualBox, etc. thus, you need to run this command in a physical-machine (not in a nested-virtualization environment); otherwise you should find other traces for virtual machine software and solve those traces by yourself (e.g., hooking anti-VMware APIs and Queries).
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
None