diff --git a/HyperHide/HyperHideDrv.h b/HyperHide/HyperHideDrv.h index dfc0c8f..dc30b86 100644 --- a/HyperHide/HyperHideDrv.h +++ b/HyperHide/HyperHideDrv.h @@ -31,7 +31,7 @@ typedef struct _HIDE_INFO BOOLEAN HookNtUserQueryWindow; BOOLEAN HookNtUserGetForegroundWindow; BOOLEAN HookKuserSharedData; - BOOLEAN HookKiExceptionDispatch; + BOOLEAN HookKiDispatchException; BOOLEAN HookNtSetInformationProcess; BOOLEAN ClearPebBeingDebugged; BOOLEAN ClearPebNtGlobalFlag; diff --git a/HyperHideDrv/GlobalData.h b/HyperHideDrv/GlobalData.h index 8cf87c9..f31f229 100644 --- a/HyperHideDrv/GlobalData.h +++ b/HyperHideDrv/GlobalData.h @@ -18,6 +18,9 @@ #define WINDOWS_10_VERSION_20H1 19041 #define WINDOWS_10_VERSION_20H2 19042 #define WINDOWS_10_VERSION_21H1 19043 +#define WINDOWS_10_VERSION_21H2 19044 +#define WINDOWS_11 22000 + typedef struct _HYPER_HIDE_GLOBAL_DATA { diff --git a/HyperHideDrv/Hider.h b/HyperHideDrv/Hider.h index 63ec546..6164f8b 100644 --- a/HyperHideDrv/Hider.h +++ b/HyperHideDrv/Hider.h @@ -63,6 +63,7 @@ typedef struct _HIDE_INFO BOOLEAN HookNtUserQueryWindow; BOOLEAN HookNtUserGetForegroundWindow; BOOLEAN HookKuserSharedData; + BOOLEAN HookKiDispatchException; BOOLEAN HookNtSetInformationProcess; BOOLEAN ClearPebBeingDebugged; BOOLEAN ClearPebNtGlobalFlag; diff --git a/HyperHideDrv/HookHelper.cpp b/HyperHideDrv/HookHelper.cpp index 56e0280..b021d2b 100644 --- a/HyperHideDrv/HookHelper.cpp +++ b/HyperHideDrv/HookHelper.cpp @@ -147,23 +147,23 @@ BOOLEAN IsWindowBad(HANDLE hWnd) BOOLEAN HookKiDispatchException(PVOID HookedKiDispatchException, PVOID* OriginalKiDispatchException) { - PVOID KernelTextSectionBase = 0; - ULONG64 KernelTextSectionSize = 0; - CHAR* Pattern = "\x8B\x00\x50\x00\x8B\x00\x58\x48\x8D\x4D\x00\xE8\x00\x00\x00\xFF\x8B\x55"; - CHAR* Mask = "x?x?x?xxxx?x???xxx"; + PVOID KernelSectionBase = 0; + ULONG64 KernelSectionSize = 0; + CHAR* Pattern = g_HyperHide.CurrentWindowsBuildNumber >= WINDOWS_11 ? "\x24\x00\x00\x41\xB1\x01\x48\x8D\x4C\x24\x00\xE8" : "\x8B\x00\x50\x00\x8B\x00\x58\x48\x8D\x4D\x00\xE8\x00\x00\x00\xFF\x8B\x55"; + CHAR* Mask = g_HyperHide.CurrentWindowsBuildNumber >= WINDOWS_11 ? "x??xxxxxxx?x" : "x?x?x?xxxx?x???xxx"; + CHAR* Section = g_HyperHide.CurrentWindowsBuildNumber >= WINDOWS_11 ? "PAGE" : ".text"; - if (GetSectionData("ntoskrnl.exe", ".text", KernelTextSectionSize, KernelTextSectionBase) == FALSE) + if (GetSectionData("ntoskrnl.exe", Section, KernelSectionSize, KernelSectionBase) == FALSE) return FALSE; - PVOID KiExceptionDispatchAddress = FindSignature(KernelTextSectionBase, KernelTextSectionSize, Pattern, Mask); - if ((ULONG64)KiExceptionDispatchAddress >= (ULONG64)KernelTextSectionBase && (ULONG64)KiExceptionDispatchAddress <= (ULONG64)KernelTextSectionBase + KernelTextSectionSize) + PVOID KiDispatchExceptionAddress = FindSignature(KernelSectionBase, KernelSectionSize, Pattern, Mask); + if ((ULONG64)KiDispatchExceptionAddress >= (ULONG64)KernelSectionBase && (ULONG64)KiDispatchExceptionAddress <= (ULONG64)KernelSectionBase + KernelSectionSize) { - KiExceptionDispatchAddress = (PVOID)(*(LONG*)((ULONG64)KiExceptionDispatchAddress + 12) + (LONGLONG)((ULONG64)KiExceptionDispatchAddress + 16)); + KiDispatchExceptionAddress = (PVOID)(*(LONG*)((ULONG64)KiDispatchExceptionAddress + 12) + (LONGLONG)((ULONG64)KiDispatchExceptionAddress + 16)); - LogInfo("KiExceptionDispatch address: 0x%llx", KiExceptionDispatchAddress); + LogInfo("KiDispatchException address: 0x%llx", KiDispatchExceptionAddress); - if ((ULONG64)KiExceptionDispatchAddress >= (ULONG64)KernelTextSectionBase && (ULONG64)KiExceptionDispatchAddress <= (ULONG64)KernelTextSectionBase + KernelTextSectionSize) - return hv::hook_function(KiExceptionDispatchAddress, HookedKiDispatchException, OriginalKiDispatchException); + return hv::hook_function(KiDispatchExceptionAddress, HookedKiDispatchException, OriginalKiDispatchException); } return FALSE; @@ -171,7 +171,34 @@ BOOLEAN HookKiDispatchException(PVOID HookedKiDispatchException, PVOID* Original VOID GetNtSyscallNumbers(NT_SYSCALL_NUMBERS &SyscallNumbers) { - if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1) + if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_11) + { + SyscallNumbers.NtSetInformationThread = 0xd; + SyscallNumbers.NtQueryInformationProcess = 0x19; + SyscallNumbers.NtQueryObject = 0x10; + SyscallNumbers.NtSystemDebugControl = 0x1c8; + SyscallNumbers.NtSetContextThread = 0x194; + SyscallNumbers.NtQuerySystemInformation = 0x36; + SyscallNumbers.NtGetContextThread = 0xf7; + SyscallNumbers.NtClose = 0xf; + SyscallNumbers.NtQueryInformationThread = 0x25; + SyscallNumbers.NtCreateThreadEx = 0xC5; + SyscallNumbers.NtCreateFile = 0x55; + SyscallNumbers.NtCreateProcessEx = 0x4d; + SyscallNumbers.NtYieldExecution = 0x46; + SyscallNumbers.NtQuerySystemTime = 0x5a; + SyscallNumbers.NtQueryPerformanceCounter = 0x31; + SyscallNumbers.NtContinue = 0xa3; + SyscallNumbers.NtQueryInformationJobObject = 0x150; + SyscallNumbers.NtCreateUserProcess = 0xcd; + SyscallNumbers.NtGetNextProcess = 0xfc; + SyscallNumbers.NtOpenProcess = 0x26; + SyscallNumbers.NtOpenThread = 0x134; + SyscallNumbers.NtSetInformationProcess = 0x1c; + } + + else if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1 || + g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H2) { SyscallNumbers.NtSetInformationThread = 0xd; SyscallNumbers.NtQueryInformationProcess = 0x19; @@ -486,7 +513,19 @@ VOID GetNtSyscallNumbers(NT_SYSCALL_NUMBERS &SyscallNumbers) VOID GetWin32kSyscallNumbers(WIN32K_SYSCALL_NUMBERS& SyscallNumbers) { - if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1) + if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_11) + { + SyscallNumbers.NtUserFindWindowEx = 0x67; + SyscallNumbers.NtUserBuildHwndList = 0x1a; + SyscallNumbers.NtUserQueryWindow = 0xe; + SyscallNumbers.NtUserGetForegroundWindow = 0x37; + SyscallNumbers.NtUserGetThreadState = 0x0; + SyscallNumbers.NtUserInternalGetWindowText = 0x5D; + SyscallNumbers.NtUserGetClassName = 0x74; + } + + if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1 || + g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H2) { SyscallNumbers.NtUserFindWindowEx = 0x6c; SyscallNumbers.NtUserBuildHwndList = 0x1c; diff --git a/HyperHideDrv/HookedFunctions.cpp b/HyperHideDrv/HookedFunctions.cpp index 294d75a..32d4cb7 100644 --- a/HyperHideDrv/HookedFunctions.cpp +++ b/HyperHideDrv/HookedFunctions.cpp @@ -1926,7 +1926,7 @@ BOOLEAN HookSyscalls() if (HookKiDispatchException(HookedKiDispatchException, (PVOID*)&OriginalKiDispatchException) == FALSE) { - LogError("KiExceptionDispatch hook failed"); + LogError("KiDispatchException hook failed"); return FALSE; } diff --git a/HyperHideDrv/KuserSharedData.cpp b/HyperHideDrv/KuserSharedData.cpp index f79f693..cc55f38 100644 --- a/HyperHideDrv/KuserSharedData.cpp +++ b/HyperHideDrv/KuserSharedData.cpp @@ -15,15 +15,10 @@ BOOLEAN GetPfnDatabase() { ULONG64 TextSize; PVOID TextBase; - ULONG64 AlmostroSize; - PVOID AlmostroBase; if (GetSectionData("ntoskrnl.exe", ".text", TextSize, TextBase) == FALSE) return FALSE; - if (GetSectionData("ntoskrnl.exe", "ALMOSTRO", AlmostroSize, AlmostroBase) == FALSE) - return FALSE; - CONST CHAR* Pattern = "\x48\x8B\x05\x00\x00\x00\x00\x48\x89\x43\x18\x48\x8D\x05"; CONST CHAR* Mask = "xxx????xxxxxxx"; @@ -174,7 +169,8 @@ VOID UpdateDelta(PEPROCESS DebuggedProcess) HiddenProcess->Kusd.DeltaTimeUpdateLock += KernelKuserSharedData->TimeUpdateLock - HiddenProcess->Kusd.BeginTimeUpdateLock; HiddenProcess->Kusd.DeltaBaselineSystemQpc += KernelKuserSharedData->BaselineSystemTimeQpc - HiddenProcess->Kusd.BeginBaselineSystemQpc; - RtlZeroMemory(&HiddenProcess->Kusd.BeginInterruptTime, sizeof(ULONG64) * 5 + 4); /// oddd + RtlZeroMemory(&HiddenProcess->Kusd.BeginInterruptTime, sizeof(ULONG64) * 5 + 4); + break; } } diff --git a/HyperHideDrv/Utils.cpp b/HyperHideDrv/Utils.cpp index c11b5b3..13ccd4b 100644 --- a/HyperHideDrv/Utils.cpp +++ b/HyperHideDrv/Utils.cpp @@ -593,7 +593,18 @@ BOOLEAN IsSetThreadContextRestricted(PEPROCESS TargetProcess) BOOLEAN GetOffsets() { - if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1) + if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_11) + { + NtapiOffsets.BypassProcessFreezeFlagOffset = 0x74; + NtapiOffsets.ThreadHideFromDebuggerFlagOffset = 0x560; + NtapiOffsets.ThreadBreakOnTerminationFlagOffset = 0x560; + NtapiOffsets.PicoContextOffset = 0x630; + NtapiOffsets.RestrictSetThreadContextOffset = 0x460; + NtapiOffsets.SeAuditProcessCreationInfoOffset = 0x5c0; + } + + else if (g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H1 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_21H2 || + g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H2 || g_HyperHide.CurrentWindowsBuildNumber == WINDOWS_10_VERSION_20H1) { NtapiOffsets.BypassProcessFreezeFlagOffset = 0x74; NtapiOffsets.ThreadHideFromDebuggerFlagOffset = 0x510; diff --git a/airhv b/airhv index 8c6f6fc..4858621 160000 --- a/airhv +++ b/airhv @@ -1 +1 @@ -Subproject commit 8c6f6fc7ed356fe557b359e47cdd81597d861a80 +Subproject commit 4858621d3be5ad11255fb3da70cd066e35ebf01c