!unhide (disable transparent-mode)

Description of the '!unhide' command in HyperDbg.

Command
!unhide
Syntax
!unhide
Description
Disables the transparent-mode of HyperDbg.
Parameters
None
Examples
HyperDbg> !unhide
IOCTL
You should send the IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER IOCTL to enable or disable transparent-mode.
The following structure shows whether enable or disable it.
IsHide = TRUE : Enable transparent-mode.
IsHide = FALSE: Disable transparent-mode.
You should not fill anything else if you want to disable transparent-mode, just set the IsHide.
typedef struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE {
​
  BOOLEAN IsHide;
​
  UINT64 CpuidAverage;
  UINT64 CpuidStandardDeviation;
  UINT64 CpuidMedian;
  UINT64 RdtscAverage;
  UINT64 RdtscStandardDeviation;
  UINT64 RdtscMedian;
  BOOLEAN TrueIfProcessIdAndFalseIfProcessName;
  UINT32 ProcId;
  UINT32 LengthOfProcessName; // in the case of !hide name xxx, this parameter
                              // shows the length of xxx
​
  UINT64 KernelStatus; /* DEBUGEER_OPERATION_WAS_SUCCESSFULL ,
                          DEBUGEER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
                          */
​
} DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE,
    *PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE;
If the results were successful, then the kernel sends DEBUGEER_OPERATION_WAS_SUCCESSFULL to user-mode (as KernelStatus to the above structure), and if it was unsuccessful, then DEBUGEER_ERROR_DEBUGGER_ALREADY_UHIDE which is an indicator that HyperDbg was not already in transparent-mode.
Remarks
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
Requirements
None
Related
​!hide (enable transparent mode)​

!hide (enable transparent-mode)

!measure (measuring and providing details for transparent-mode)

Last modified 1yr ago