!unhide (disable transparent-mode)
Description of the '!unhide' command in HyperDbg.
!unhide
!unhide
Disables the transparent-mode of HyperDbg.
None
HyperDbg> !unhide
You should send the
IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER IOCTL to enable or disable transparent-mode.The following structure shows whether enable or disable it.
IsHide = TRUE : Enable transparent-mode.IsHide = FALSE: Disable transparent-mode.You should not fill anything else if you want to disable transparent-mode, just set the
IsHide.typedef struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE {
BOOLEAN IsHide;
UINT64 CpuidAverage;
UINT64 CpuidStandardDeviation;
UINT64 CpuidMedian;
UINT64 RdtscAverage;
UINT64 RdtscStandardDeviation;
UINT64 RdtscMedian;
BOOLEAN TrueIfProcessIdAndFalseIfProcessName;
UINT32 ProcId;
UINT32 LengthOfProcessName; // in the case of !hide name xxx, this parameter
// shows the length of xxx
UINT64 KernelStatus; /* DEBUGEER_OPERATION_WAS_SUCCESSFULL ,
DEBUGEER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
*/
} DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE,
*PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE;
If the results were successful, then the kernel sends
DEBUGEER_OPERATION_WAS_SUCCESSFULL to user-mode (as KernelStatus to the above structure), and if it was unsuccessful, then DEBUGEER_ERROR_DEBUGGER_ALREADY_UHIDE which is an indicator that HyperDbg was not already in transparent-mode.This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
None