search

Air14 / HyperHide

Hypervisor based anti anti debug plugin for x64dbg
MIT License
1.23k stars 279 forks source link

sc start HyperHideDrv [SC] StartService Failed 31 on Intel x64 Win11 23H2 #48

Open gsmlm opened 6 months ago

gsmlm commented 6 months ago

Start HyperHideDrv first, the computer will have a blue screen Snipaste_2024-03-17_12-24-53 Snipaste_2024-03-17_12-25-41

DebugView Log

[12:07:14.422] [INFORMATION] [DriverEntry:89] HyperVisor On [12:07:14.422] [INFORMATION] [DriverEntry:94] Got offsets [12:07:14.455] [INFORMATION] [DriverEntry:99] Got Ssdt [12:07:14.504] [INFORMATION] [GetPfnDatabase:28] MmPfnDataBase address 0xffff908000000000 [12:07:14.504] [INFORMATION] [DriverEntry:104] Hider Initialized [12:07:14.504] [INFORMATION] [DriverEntry:112] PsSetCreateThreadNotifyRoutine succeded [12:07:14.504] [INFORMATION] [DriverEntry:121] PsSetCreateProcessNotifyRoutine succeded [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtContinueEx is equal: 0xA3 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationThread is equal: 0xD [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationProcess is equal: 0x19 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryObject is equal: 0x10 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSystemDebugControl is equal: 0x1CD [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetContextThread is equal: 0x198 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemInformation is equal: 0x36 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetContextThread is equal: 0xF9 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtClose is equal: 0xF [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationThread is equal: 0x25 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateThreadEx is equal: 0xC7 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateFile is equal: 0x55 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateProcessEx is equal: 0x4D [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtYieldExecution is equal: 0x46 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQuerySystemTime is equal: 0x5A [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryPerformanceCounter is equal: 0x31 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtQueryInformationJobObject is equal: 0x154 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtCreateUserProcess is equal: 0xCF [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtGetNextProcess is equal: 0xFE [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenProcess is equal: 0x26 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtOpenThread is equal: 0x137 [12:07:14.504] [DEBUG] [GetNtSyscallNumbers:109] Syscall NtSetInformationProcess is equal: 0x1C [12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserBuildHwndList is equal: 0x1A [12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserFindWindowEx is equal: 0x67 [12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserQueryWindow is equal: 0xE [12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetForegroundWindow is equal: 0x37 [12:07:14.765] [DEBUG] [GetWin32kSyscallNumbers:194] Syscall NtUserGetThreadState is equal: 0x0 [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [hook_function:561] Requested virtual memory doesn't exist in physical one [12:07:14.793] [ERROR] [HookWin32kSyscalls:1860] NtUserFindWindowEx hook failed

Trollicus commented 4 months ago

having the same issue "the driver was not loaded because it failed its initialization call"