Air14 / HyperHide

Hypervisor based anti anti debug plugin for x64dbg
MIT License
1.28k stars 296 forks source link

Request for new features - CPUID - RDTSC #6

Closed UnlimitedChild closed 3 years ago

UnlimitedChild commented 3 years ago

Hi,

some features, CPUID and RDTSC Hooking, are missing in this plugin.

Best regards

Air14 commented 3 years ago

Rdtsc is in my opinion too sensitive to hook so this feature probably won't be implemented. Also what information would you want to hide with cpuid hooking?

UnlimitedChild commented 3 years ago

Modern security tools use these methods to detect program debugging. CPUID is used to bind the program execution environment and to perform antidump protection. hypervisor_example_rdtsc-master.zip

nblog commented 3 years ago

'CPUID' can detect vm, It will detect the Hypervisor, for this type, it will be treated as a virtual machine environment.

UnlimitedChild commented 3 years ago

Detecting VMs using the CPUID instruction - https://github.com/ioncodes/is-vm/blob/master/vm.asm

UnlimitedChild commented 3 years ago

'CPUID' can detect vm, It will detect the Hypervisor, for this type, it will be treated as a virtual machine environment.

Does this plugin have nested virtualization support ?!

Air14 commented 3 years ago

'CPUID' can detect vm, It will detect the Hypervisor, for this type, it will be treated as a virtual machine environment.

Does this plugin have nested virtualization support ?!

No, it doesn't have

Air14 commented 3 years ago

Added new feature in HyperHide_2021-07-19 which allow to hide presence of hypervisor (only cpuid, rdtsc/rdtscp still not supported)