temporarily hyperevade project

This commit is contained in:
sina 2025-08-18 00:30:13 +02:00
parent 77422be3dd
commit a949bf66cd
No known key found for this signature in database
4 changed files with 36 additions and 1 deletions

View file

@ -11,6 +11,28 @@
*/
#include "pch.h"
VOID
TransparentHandleSystemCallHook(GUEST_REGS * Regs)
{
UNREFERENCED_PARAMETER(Regs);
}
VOID
TransparentCallbackHandleAfterSyscall(GUEST_REGS * Regs,
UINT32 ProcessId,
UINT32 ThreadId,
UINT64 Context,
SYSCALL_CALLBACK_CONTEXT_PARAMS * Params)
{
UNREFERENCED_PARAMETER(Regs);
UNREFERENCED_PARAMETER(ProcessId);
UNREFERENCED_PARAMETER(ThreadId);
UNREFERENCED_PARAMETER(Context);
UNREFERENCED_PARAMETER(Params);
}
#if DISABLE_HYPERDBG_HYPEREVADE == FALSE
/**
* @brief Handle The triggered hook on KiSystemCall64 system call handler
* when the Transparency mode is enabled
@ -1927,3 +1949,4 @@ TransparentCallbackHandleAfterSyscall(GUEST_REGS * Regs,
Params->OptionalParam4);
}
}
#endif

View file

@ -54,12 +54,13 @@ TransparentHideDebugger(HYPEREVADE_CALLBACKS * Hyperevade
RtlCopyBytes(&g_SystemCallNumbersInformation,
&TransparentModeRequest->SystemCallNumbersInformation,
sizeof(SYSTEM_CALL_NUMBERS_INFORMATION));
#if DISABLE_HYPERDBG_HYPEREVADE == FALSE
//
// Choose a random genuine vendor string to replace hypervisor vendor data
//
TRANSPARENT_GENUINE_VENDOR_STRING_INDEX = TransparentGetRand() %
(sizeof(TRANSPARENT_LEGIT_VENDOR_STRINGS_WCHAR) / sizeof(TRANSPARENT_LEGIT_VENDOR_STRINGS_WCHAR[0]));
#endif
//
// Enable the transparent mode

View file

@ -161,6 +161,8 @@ SYSTEM_CALL_NUMBERS_INFORMATION g_SystemCallNumbersInformation;
// Constants //
//////////////////////////////////////////////////
#if DISABLE_HYPERDBG_HYPEREVADE == FALSE
/**
* @brief A list of windows processes, for which to ignore systemcall requests
* when the transparency mode is enabled
@ -609,6 +611,8 @@ static const PCHAR HV_FIRM_NAMES[] = {
};
#endif
//////////////////////////////////////////////////
// Functions //
//////////////////////////////////////////////////

View file

@ -23,6 +23,13 @@
#ifdef ENV_WINDOWS
//
// The DLL is flagged by antivirus software, since it contains anti-debugging and anti-hypervisor methods
// as well as different anti-debugging strings
// For now, we disable the HyperDbg Hyperevade module
//
# define DISABLE_HYPERDBG_HYPEREVADE TRUE
//
// Windows defined functions
//