Skip to content

Commit

Permalink
Added support for Windows 11 and Windows 21H2 and fixed some minor bugs
Browse files Browse the repository at this point in the history
  • Loading branch information
@Air14
Air14 committed Oct 14, 2021
1 parent 9d05dc2 commit 11d9ebc
Show file tree
Hide file tree
Showing 8 changed files with 73 additions and 23 deletions.
2 changes: 1 addition & 1 deletion HyperHide/HyperHideDrv.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ typedef struct _HIDE_INFO
BOOLEAN HookNtUserQueryWindow;
BOOLEAN HookNtUserGetForegroundWindow;
BOOLEAN HookKuserSharedData;
BOOLEAN HookKiExceptionDispatch;
BOOLEAN HookKiDispatchException;
BOOLEAN HookNtSetInformationProcess;
BOOLEAN ClearPebBeingDebugged;
BOOLEAN ClearPebNtGlobalFlag;
Expand Down
3 changes: 3 additions & 0 deletions HyperHideDrv/GlobalData.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@
#define WINDOWS_10_VERSION_20H1 19041
#define WINDOWS_10_VERSION_20H2 19042
#define WINDOWS_10_VERSION_21H1 19043
#define WINDOWS_10_VERSION_21H2 19044
#define WINDOWS_11 22000


typedef struct _HYPER_HIDE_GLOBAL_DATA
{
Expand Down
1 change: 1 addition & 0 deletions HyperHideDrv/Hider.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ typedef struct _HIDE_INFO
BOOLEAN HookNtUserQueryWindow;
BOOLEAN HookNtUserGetForegroundWindow;
BOOLEAN HookKuserSharedData;
BOOLEAN HookKiDispatchException;
BOOLEAN HookNtSetInformationProcess;
BOOLEAN ClearPebBeingDebugged;
BOOLEAN ClearPebNtGlobalFlag;
Expand Down
65 changes: 52 additions & 13 deletions HyperHideDrv/HookHelper.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,31 +147,58 @@ BOOLEAN IsWindowBad(HANDLE hWnd)

BOOLEAN HookKiDispatchException(PVOID HookedKiDispatchException, PVOID* OriginalKiDispatchException)
{
PVOID KernelTextSectionBase = 0;
ULONG64 KernelTextSectionSize = 0;
CHAR* Pattern = "\x8B\x00\x50\x00\x8B\x00\x58\x48\x8D\x4D\x00\xE8\x00\x00\x00\xFF\x8B\x55";
CHAR* Mask = "x?x?x?xxxx?x???xxx";
PVOID KernelSectionBase = 0;
ULONG64 KernelSectionSize = 0;
CHAR* Pattern = g_HyperHide.CurrentWindowsBuildNumber >= WINDOWS_11 ? "\x24\x00\x00\x41\xB1\x01\x48\x8D\x4C\x24\x00\xE8" : "\x8B\x00\x50\x00\x8B\x00\x58\x48\x8D\x4D\x00\xE8\x00\x00\x00\xFF\x8B\x55";
CHAR* Mask = g_HyperHide.CurrentWindowsBuildNumber >= WINDOWS_11 ? "x??xxxxxxx?x" : "x?x?x?xxxx?x???xxx";
CHAR* Section = g_HyperHide.CurrentWindowsBuildNumber >= WINDOWS_11 ? "PAGE" : ".text";

if (GetSectionData("ntoskrnl.exe", ".text", KernelTextSectionSize, KernelTextSectionBase) == FALSE)
if (GetSectionData("ntoskrnl.exe", Section, KernelSectionSize, KernelSectionBase) == FALSE)
return FALSE;

PVOID KiExceptionDispatchAddress = FindSignature(KernelTextSectionBase, KernelTextSectionSize, Pattern, Mask);
if ((ULONG64)KiExceptionDispatchAddress >= (ULONG64)KernelTextSectionBase && (ULONG64)KiExceptionDispatchAddress <= (ULONG64)KernelTextSectionBase + KernelTextSectionSize)
PVOID KiDispatchExceptionAddress = FindSignature(KernelSectionBase, KernelSectionSize, Pattern, Mask);
if ((ULONG64)KiDispatchExceptionAddress >= (ULONG64)KernelSectionBase && (ULONG64)KiDispatchExceptionAddress <= (ULONG64)KernelSectionBase + KernelSectionSize)
{
KiExceptionDispatchAddress = (PVOID)(*(LONG*)((ULONG64)KiExceptionDispatchAddress + 12) + (LONGLONG)((ULONG64)KiExceptionDispatchAddress + 16));
KiDispatchExceptionAddress = (PVOID)(*(LONG*)((ULONG64)KiDispatchExceptionAddress + 12) + (LONGLONG)((ULONG64)KiDispatchExceptionAddress + 16));

LogInfo("KiExceptionDispatch address: 0x%llx", KiExceptionDispatchAddress);
LogInfo("KiDispatchException address: 0x%llx", KiDispatchExceptionAddress);

if ((ULONG64)KiExceptionDispatchAddress >= (ULONG64)KernelTextSectionBase && (ULONG64)KiExceptionDispatchAddress <= (ULONG64)KernelTextSectionBase + KernelTextSectionSize)
return hv::hook_function(KiExceptionDispatchAddress, HookedKiDispatchException, OriginalKiDispatchException);
return hv::hook_function(KiDispatchExceptionAddress, HookedKiDispatchException, OriginalKiDispatchException);
}

return FALSE;
}

VOID GetNtSyscallNumbers(NT_SYSCALL_NUMBERS &SyscallNumbers)
{
if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1)
if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_11)
{
SyscallNumbers.NtSetInformationThread = 0xd;
SyscallNumbers.NtQueryInformationProcess = 0x19;
SyscallNumbers.NtQueryObject = 0x10;
SyscallNumbers.NtSystemDebugControl = 0x1c8;
SyscallNumbers.NtSetContextThread = 0x194;
SyscallNumbers.NtQuerySystemInformation = 0x36;
SyscallNumbers.NtGetContextThread = 0xf7;
SyscallNumbers.NtClose = 0xf;
SyscallNumbers.NtQueryInformationThread = 0x25;
SyscallNumbers.NtCreateThreadEx = 0xC5;
SyscallNumbers.NtCreateFile = 0x55;
SyscallNumbers.NtCreateProcessEx = 0x4d;
SyscallNumbers.NtYieldExecution = 0x46;
SyscallNumbers.NtQuerySystemTime = 0x5a;
SyscallNumbers.NtQueryPerformanceCounter = 0x31;
SyscallNumbers.NtContinue = 0xa3;
SyscallNumbers.NtQueryInformationJobObject = 0x150;
SyscallNumbers.NtCreateUserProcess = 0xcd;
SyscallNumbers.NtGetNextProcess = 0xfc;
SyscallNumbers.NtOpenProcess = 0x26;
SyscallNumbers.NtOpenThread = 0x134;
SyscallNumbers.NtSetInformationProcess = 0x1c;
}

else if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1 ||
g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H2)
{
SyscallNumbers.NtSetInformationThread = 0xd;
SyscallNumbers.NtQueryInformationProcess = 0x19;
Expand Down Expand Up @@ -486,7 +513,19 @@ VOID GetNtSyscallNumbers(NT_SYSCALL_NUMBERS &SyscallNumbers)

VOID GetWin32kSyscallNumbers(WIN32K_SYSCALL_NUMBERS& SyscallNumbers)
{
if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1)
if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_11)
{
SyscallNumbers.NtUserFindWindowEx = 0x67;
SyscallNumbers.NtUserBuildHwndList = 0x1a;
SyscallNumbers.NtUserQueryWindow = 0xe;
SyscallNumbers.NtUserGetForegroundWindow = 0x37;
SyscallNumbers.NtUserGetThreadState = 0x0;
SyscallNumbers.NtUserInternalGetWindowText = 0x5D;
SyscallNumbers.NtUserGetClassName = 0x74;
}

if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1 ||
g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H2)
{
SyscallNumbers.NtUserFindWindowEx = 0x6c;
SyscallNumbers.NtUserBuildHwndList = 0x1c;
Expand Down
2 changes: 1 addition & 1 deletion HyperHideDrv/HookedFunctions.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1926,7 +1926,7 @@ BOOLEAN HookSyscalls()

if (HookKiDispatchException(HookedKiDispatchException, (PVOID*)&OriginalKiDispatchException) == FALSE)
{
LogError("KiExceptionDispatch hook failed");
LogError("KiDispatchException hook failed");
return FALSE;
}

Expand Down
8 changes: 2 additions & 6 deletions HyperHideDrv/KuserSharedData.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,10 @@ BOOLEAN GetPfnDatabase()
{
ULONG64 TextSize;
PVOID TextBase;
ULONG64 AlmostroSize;
PVOID AlmostroBase;

if (GetSectionData("ntoskrnl.exe", ".text", TextSize, TextBase) == FALSE)
return FALSE;

if (GetSectionData("ntoskrnl.exe", "ALMOSTRO", AlmostroSize, AlmostroBase) == FALSE)
return FALSE;

CONST CHAR* Pattern = "\x48\x8B\x05\x00\x00\x00\x00\x48\x89\x43\x18\x48\x8D\x05";
CONST CHAR* Mask = "xxx????xxxxxxx";

Expand Down Expand Up @@ -174,7 +169,8 @@ VOID UpdateDelta(PEPROCESS DebuggedProcess)
HiddenProcess->Kusd.DeltaTimeUpdateLock += KernelKuserSharedData->TimeUpdateLock - HiddenProcess->Kusd.BeginTimeUpdateLock;
HiddenProcess->Kusd.DeltaBaselineSystemQpc += KernelKuserSharedData->BaselineSystemTimeQpc - HiddenProcess->Kusd.BeginBaselineSystemQpc;

RtlZeroMemory(&HiddenProcess->Kusd.BeginInterruptTime, sizeof(ULONG64) * 5 + 4); /// oddd
RtlZeroMemory(&HiddenProcess->Kusd.BeginInterruptTime, sizeof(ULONG64) * 5 + 4);

break;
}
}
Expand Down
13 changes: 12 additions & 1 deletion HyperHideDrv/Utils.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -593,7 +593,18 @@ BOOLEAN IsSetThreadContextRestricted(PEPROCESS TargetProcess)

BOOLEAN GetOffsets()
{
if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1)
if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_11)
{
NtapiOffsets.BypassProcessFreezeFlagOffset = 0x74;
NtapiOffsets.ThreadHideFromDebuggerFlagOffset = 0x560;
NtapiOffsets.ThreadBreakOnTerminationFlagOffset = 0x560;
NtapiOffsets.PicoContextOffset = 0x630;
NtapiOffsets.RestrictSetThreadContextOffset = 0x460;
NtapiOffsets.SeAuditProcessCreationInfoOffset = 0x5c0;
}

else if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H2 ||
g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1)
{
NtapiOffsets.BypassProcessFreezeFlagOffset = 0x74;
NtapiOffsets.ThreadHideFromDebuggerFlagOffset = 0x510;
Expand Down
2 changes: 1 addition & 1 deletion airhv
Submodule airhv updated 4 files
+34 −0 airhv/ia32/vmcs.h
+1 −0 airhv/ia32/vmcs_encodings.h
+1 −1 airhv/vmcall_handler.cpp
+10 −2 airhv/vmexit_handler.cpp

0 comments on commit 11d9ebc

Please sign in to comment.