search

Air14 / HyperHide

Hypervisor based anti anti debug plugin for x64dbg
MIT License
1.29k stars 296 forks source link

Issue Starting Drivers #14

Closed MoneyWasted closed 3 years ago

MoneyWasted commented 3 years ago

I've tried multiple times and nothing seems to work. Any suggestions. Image

Air14 commented 3 years ago

Did you put these drivers to binpath which you specified? And secondly you can use Dbgview form sysinternals suite to check error messages, be sure to have checked these options Dbgview

Air14 commented 3 years ago

Closed due to no response

mike-code commented 3 years ago

I have the same issue. I ran debugview but it didn't log anything in the output (I tried unloading and loading the other driver, HyperHideDrv and I could see some output in the dbgview so it does capture events)

​C:\Users\retard\Downloads\HyperHide\Scripts
λ  sc.exe create AirHV type= "Kernel" binpath= "C:\Windows\system32\drivers\AirHV.sys"
[SC] CreateService SUCCESS
​C:\Users\retard\Downloads\HyperHide\Scripts
λ  sc.exe start AirHV
[SC] StartService FAILED 2:

The system cannot find the file specified.

image

Air14 commented 3 years ago

Do you have intel processor? Also if you are trying to turn it in virtual machine remember to turn on VT-x in settings

mike-code commented 3 years ago

I do and I was trying to run it on host (not VM). I managed to solve it though and I have two remarks.

So the message window throws up (the system cannot find the file specified) is misleading. I thought that perhaps the driver you've built is for some reason incompatible so I went to your airhv project to build it myself. Then, I created service using the driver I've compiled myself and this time I got more appropriate error, namely "vmx operation is not supported on this processor".

I then googled up that I can use Intel Processor Identification Utility to figure out whether I have VT-x and EPT support. It turned out that I don't even though I do have it enabled in BIOS. This long SU thread suggested that if you've installed Docker, which enables HyperV win feature, your VT-x won't be available. In my case it was not just Docker but also WSL which kept vt-x "disabled". After getting rid of both of them, the driver now loads (both yours and the one I compiled).

Time to dive in your extension (imblyign I know what I'm doing) to figure out I can't into asm:(

MoneyWasted commented 3 years ago

Oh shit I complete forgot I had this open. I do have an AMD CPU if that's the reason it wasn't working.