Comment on page
Defeating Anti-Debug & Anti-Hypervisor Methods
Using Transparent-mode in HyperDbg
Transparent-mode is an anti-anti-debugging and an anti-anti-hypervisor solution for HyperDbg.
If you enable this mode, then HyperDbg tries to make itself transparent from anti-debugging and anti-hypervisor methods and not reveal the hypervisor's presence on timing and microarchitectural attacks; however, it won't guarantee 100% transparency, but it makes it substantially harder for the anti-debugging methods.
You can use Transparent Mode in both VMI Mode and Debugger Mode.
Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
If we load HyperDbg and run pafish, we see the following results:
As you can see in the above picture, HyperDbg is detected by many factors. In fact, pafish checks for the hypervisor's presence, and as HyperDbg uses a hypervisor, then it shows that a debugger is present or the environment is not safe for malware to run.
Now, we can use HyperDbg's Transparent-mode to bypass pafish.
For enabling this mode, first, we should use the '!measure' command. This command uses statistical methods to measure and provide the details for the transparent-mode of HyperDbg for defeating anti-debugging and anti-hypervisor methods.
If we want to use the hardcoded results and statistics for a not-running hypervisor machine, we can use the following command to apply the default measurements.
HyperDbg> !measure default
HyperDbg> !hide pid 2a78
Most of the times, applications check for anti-debug methods on their very first execution stages; thus, it's not simply possible to use
pid. To solve this problem, we can use the
nameof the process.
We want to apply to the pafish process name.
pafish.exeis the name of this process. The following command is used :
HyperDbg> !hide name pafish.exe
If we recheck the result of the pafish again, we see the following results.
Transparent-mode is under active development, and on each version, we add new methods to this mode to make sure that HyperDbg is transparent. However, this mode still needs a lot of contributions.