search

Air14 / HyperHide

Hypervisor based anti anti debug plugin for x64dbg
MIT License
1.23k stars 279 forks source link

sc start HyperHideDrv [SC] StartService Failed 31 on Intel x64 Win10 22H2 #36

Open SH0CK1NG opened 1 year ago

SH0CK1NG commented 1 year ago

Description

[SC] StartService FAILED 31: device attached to the system is not functioning. Run on.bat with administry, report error code 31 image

Environment

VMware® Workstation 17 Pro 17.0.0 build-20800274 Physical Machine: Windows 10 Home, 64-bit (Build 19045.2965) 10.0.19045 Physical Machine Processor: Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz 2.59 GHz Virtual Machine: Windows 10 Professional x64 22H2 19045.2965 cmd "bcdedit /set testsigning on" successfully completed and Virtual Machine rebooted The test mode is displayed in the lower right corner of the desktop image

VT-x enabled image

Hyper-V disabled image

Virtualization-Based Security (VBS) disabled image

Secure Boot disabled image

Dbgview

00000001 0.00000000 [19:46:55.918] [INFORMATION] [DriverEntry:90] HyperVisor On image

Regedit

driver path image image

SH0CK1NG commented 1 year ago

I've tried the suggestions in other issues #32 but still failed.Does anyone else gets an idea? Yes, nested virtualization is disabled by default in hyper-v You should disable VBS, because airhv will not work as long as it is enabled
Originally posted by @Air14 in https://github.com/Air14/HyperHide/issues/33#issuecomment-1480329661

Air14 commented 1 year ago

It looks like it failed to get the offsets, but this is strange because this version of Windows is supported. Are you using the latest version of hyperhide?

SH0CK1NG commented 1 year ago

I checked the version of hyperhide,and replaced the old one.It still doesnt work. image info: 00000001 0.00000000 [02:02:56.261] [INFORMATION] [DriverEntry:89] HyperVisor On
00000002 0.00000870 [02:02:56.261] [INFORMATION] [DriverEntry:94] Got offsets
00000003 0.00222670 [02:02:56.261] [INFORMATION] [DriverEntry:99] Got code caves
00000004 0.03999590 [02:02:56.292] [INFORMATION] [DriverEntry:104] Got Ssdt
00000005 0.09620370 [02:02:56.355] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffff928000000000
00000006 0.09627020 [02:02:56.355] [INFORMATION] [DriverEntry:109] Hider Initialized
00000007 0.09631810 [02:02:56.355] [INFORMATION] [DriverEntry:117] PsSetCreateThreadNotifyRoutine succeded
00000008 0.09634030 [02:02:56.355] [INFORMATION] [DriverEntry:126] PsSetCreateProcessNotifyRoutine succeded
00000009 0.09641450 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA1
00000010 0.09645120 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD
00000011 0.09647850 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19
00000012 0.09650390 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10
00000013 0.09653480 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1BE
00000014 0.09670520 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x18C
00000015 0.09675200 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36
00000016 0.09680780 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF3
00000017 0.09682210 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF
00000018 0.09684250 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25
00000019 0.09685810 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC2
00000020 0.09687320 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55
00000021 0.09688870 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D
00000022 0.09691320 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46
00000023 0.09698630 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A
00000024 0.09705030 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31
00000025 0.09707430 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x14B
00000026 0.09709050 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xC9
00000027 0.09710840 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xF8
00000028 0.09712700 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26
00000029 0.09714650 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x12F
00000030 0.09717030 [02:02:56.355] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C
00000031 0.09740520 [02:02:56.355] [INFORMATION] [hook_function:653] Page already hooked
00000032 0.09747730 [02:02:56.355] [INFORMATION] [hook_function:653] Page already hooked
00000033 0.09756250 [02:02:56.355] [INFORMATION] [hook_function:653] Page already hooked
00000034 0.09761920 [02:02:56.355] [ERROR] [hook_function:638] Requested virtual memory doesn't exist in physical one
00000035 0.09766470 [02:02:56.355] [ERROR] [HookNtSyscalls:1816] NtSystemDebugControl hook failed
Now the issue is similar to #30 ,but a little bit different.

SH0CK1NG commented 1 year ago

The version I used is HyperHide_2023-02-16

GsoyG commented 11 months ago

I made the same mistake, but I discovered a very magical thing: Start HyperHideDrv first and then airhv, everything will be normal. If you start airhiv first and then start HyperHideDrv, you will get the above error.

toriany commented 9 months ago

I made the same mistake, but I discovered a very magical thing: Start HyperHideDrv first and then airhv, everything will be normal. If you start airhiv first and then start HyperHideDrv, you will get the above error.

this works for me. thank you.