HyperDbg Documentation
HyperDbgDownloadSource codeBlog
Search…
HyperDbg
Getting Started
Quick Start
FAQ
Build & Install
Attach to HyperDbg
Using HyperDbg
Prerequisites
User-mode Debugging
Kernel-mode Debugging
Commands
Debugging Commands
Meta Commands
Extension Commands
!pte (display page-level address and entries)
!db, !dc, !dd, !dq (read physical memory)
!eb, !ed, !eq (edit physical memory)
!sb, !sd, !sq (search physical memory)
!u, !u2 (disassemble physical address)
!dt (display and map physical memory to structures)
!epthook (hidden hook with EPT - stealth breakpoints)
!epthook2 (hidden hook with EPT - detours)
!monitor (monitor read/write to a page)
!syscall, !syscall2 (hook system-calls)
!sysret, !sysret2 (hook SYSRET instruction execution)
!cpuid (hook CPUID instruction execution)
!msrread (hook RDMSR instruction execution)
!msrwrite (hook WRMSR instruction execution)
!tsc (hook RDTSC/RDTSCP instruction execution)
!pmc (hook RDPMC instruction execution)
!vmcall (hook hypercalls)
!exception (hook first 32 entries of IDT)
!interrupt (hook external device interrupts)
!dr (hook access to debug registers)
!ioin (hook IN instruction execution)
!ioout (hook OUT instruction execution)
!hide (enable transparent-mode)
!unhide (disable transparent-mode)
!measure (measuring and providing details for transparent-mode)
!va2pa (convert a virtual address to physical address)
!pa2va (convert physical address to virtual address)
Scripting Language
Tips & Tricks
Considerations
Nested-Virtualization Environments
Misc
Contribution
Style Guide
Logo & Artworks
Design
Features
Debugger Internals
Script Engine
Links
Twitter
YouTube
Doxygen
Contribution
Powered By GitBook
!unhide (disable transparent-mode)
Description of the '!unhide' command in HyperDbg.

Command

!unhide

Syntax

!unhide

Description

Disables the transparent-mode of HyperDbg.

Parameters

None

Examples

1
HyperDbg> !unhide
Copied!

IOCTL

You should send the IOCTL_DEBUGGER_HIDE_AND_UNHIDE_TO_TRANSPARENT_THE_DEBUGGER IOCTL to enable or disable transparent-mode.
The following structure shows whether enable or disable it.
IsHide = TRUE : Enable transparent-mode.
IsHide = FALSE: Disable transparent-mode.
You should not fill anything else if you want to disable transparent-mode, just set the IsHide.
1
typedef struct _DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE {
2
​
3
BOOLEAN IsHide;
4
​
5
UINT64 CpuidAverage;
6
UINT64 CpuidStandardDeviation;
7
UINT64 CpuidMedian;
8
UINT64 RdtscAverage;
9
UINT64 RdtscStandardDeviation;
10
UINT64 RdtscMedian;
11
BOOLEAN TrueIfProcessIdAndFalseIfProcessName;
12
UINT32 ProcId;
13
UINT32 LengthOfProcessName; // in the case of !hide name xxx, this parameter
14
// shows the length of xxx
15
​
16
UINT64 KernelStatus; /* DEBUGEER_OPERATION_WAS_SUCCESSFULL ,
17
DEBUGEER_ERROR_UNABLE_TO_HIDE_OR_UNHIDE_DEBUGGER
18
*/
19
​
20
} DEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE,
21
*PDEBUGGER_HIDE_AND_TRANSPARENT_DEBUGGER_MODE;
Copied!
If the results were successful, then the kernel sends DEBUGEER_OPERATION_WAS_SUCCESSFULL to user-mode (as KernelStatus to the above structure), and if it was unsuccessful, then DEBUGEER_ERROR_DEBUGGER_ALREADY_UHIDE which is an indicator that HyperDbg was not already in transparent-mode.

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None
Previous
!hide (enable transparent-mode)
Next
!measure (measuring and providing details for transparent-mode)
Last modified 29d ago
Copy link
Edit on GitHub
Contents
Command
Syntax
Description
Parameters
Examples
IOCTL
Remarks
Requirements
Related