New feature, hiding hv presence

Author: Air14

HyperHide/HyperHideDrv.cpp

@@ -9,6 +9,7 @@ HyperHideDrv::HyperHideDrv()
 
 HyperHideDrv::~HyperHideDrv() 
 {
+    SetHyperVisorVisibility(TRUE);
 	if (this->DriverHandle != 0 && this->DriverHandle != INVALID_HANDLE_VALUE)
 		CloseHandle(this->DriverHandle);
 }
@@ -37,6 +38,19 @@ BOOLEAN HyperHideDrv::CallDriver(size_t Ioctl)
     );
 }
 
+void HyperHideDrv::SetHyperVisorVisibility(BOOLEAN Value)
+{
+    DWORD BytesReturned = 0;
+    DeviceIoControl
+    (
+        this->DriverHandle,
+        IOCTL_SET_HYPERVISOR_VISIBILITY,
+        &Value, sizeof(BOOLEAN),
+        0, 0,
+        &BytesReturned, NULL
+    );
+}
+
 BOOLEAN HyperHideDrv::Hide(HIDE_INFO& HideInfo)
 {
     if (this->Pid == NULL)

HyperHide/HyperHideDrv.h

@@ -54,6 +54,7 @@ class HyperHideDrv
 	BOOLEAN CallDriver(size_t Ioctl);
     BOOLEAN Hide(HIDE_INFO& HideInfo);
 	void SetTargetPid(UINT32 Pid);
+    void SetHyperVisorVisibility(BOOLEAN Value);
 	HANDLE GetDriverHandleValue();
 
 private:

HyperHide/Ioctl.h

@@ -7,4 +7,5 @@
 #define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x904, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
 #define IOCTL_REMOVE_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x905, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
 #define IOCTL_PROCESS_STOPPED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x906, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
-#define IOCTL_PROCESS_RESUMED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x907, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
+#define IOCTL_PROCESS_RESUMED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x907, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
+#define IOCTL_SET_HYPERVISOR_VISIBILITY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x908, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)

HyperHide/pluginmain.cpp

@@ -10,7 +10,8 @@
 
 enum MenuItems
 {
-    MENU_HIDER,
+    MENU_OPTIONS,
+    MENU_HYPERVISOR_VISIBLE,
 };
 
 HINSTANCE hinst;
@@ -294,7 +295,7 @@ void MenuEntry(CBTYPE cbType, void* CallbackInfo)
     PLUG_CB_MENUENTRY* Info = (PLUG_CB_MENUENTRY*)CallbackInfo;
     switch (Info->hEntry)
     {
-        case MENU_HIDER:
+        case MENU_OPTIONS:
         {
             if (g_HyperHideDrv->GetDriverHandleValue() == INVALID_HANDLE_VALUE)
             {
@@ -308,6 +309,16 @@ void MenuEntry(CBTYPE cbType, void* CallbackInfo)
             DialogBox(hinst, MAKEINTRESOURCE(DLG_MAIN), NULL, HiderDialog);
             break;
         }
+
+        case MENU_HYPERVISOR_VISIBLE:
+        {
+            static BOOLEAN HypervisorPresent = TRUE;
+            HypervisorPresent = !HypervisorPresent;
+
+            g_HyperHideDrv->SetHyperVisorVisibility(HypervisorPresent);
+            break;
+        }
+
         default:
         {
             break;
@@ -348,7 +359,9 @@ PLUG_EXPORT void plugsetup(PLUG_SETUPSTRUCT* setupStruct)
     g_Settings = new Settings();
     g_Settings->Load(g_HyperHideIniPath);
 
-    _plugin_menuaddentry(hMenu, MENU_HIDER, "&Options");
+    _plugin_menuaddentry(hMenu, MENU_OPTIONS, "&Options");
+    _plugin_menuaddentry(hMenu, MENU_HYPERVISOR_VISIBLE, "&Hypervisor not visible");
+    _plugin_menuentrysetchecked(pluginHandle, MENU_HYPERVISOR_VISIBLE, 0);
 
     HRSRC Icon = FindResourceW(hinst, MAKEINTRESOURCEW(IDB_ICON), L"PNG");
     if (Icon != NULL)

HyperHideDrv/Dispatcher.cpp

@@ -6,6 +6,7 @@
 #include "KuserSharedData.h"
 #include "GlobalData.h"
 #include "Peb.h"
+#include "HypervisorGateway.h"
 
 extern HYPER_HIDE_GLOBAL_DATA g_HyperHide;
 
@@ -82,6 +83,14 @@ NTSTATUS DrvIOCTLDispatcher(_In_ PDEVICE_OBJECT DeviceObject, _In_ PIRP Irp)
 				Status = STATUS_UNSUCCESSFUL;
 			break;
 		}
+
+		case IOCTL_SET_HYPERVISOR_VISIBILITY:
+		{
+			BOOLEAN Value = *(BOOLEAN*)Irp->AssociatedIrp.SystemBuffer;
+			hv::hypervisor_visible(Value);
+			break;
+		}
+
 	}
 
 	Irp->IoStatus.Status = Status;

HyperHideDrv/HypervisorGateway.cpp

@@ -6,14 +6,17 @@
 
 #define IOCTL_POOL_MANAGER_ALLOCATE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x900, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
 
-enum __vmcall_reason
+enum vm_call_reasons
 {
 	VMCALL_TEST,
 	VMCALL_VMXOFF,
 	VMCALL_EPT_HOOK_FUNCTION,
 	VMCALL_EPT_UNHOOK_FUNCTION,
-	VMCALL_UNHOOK_ALL_PAGES,
 	VMCALL_INVEPT_CONTEXT,
+	VMCALL_DUMP_POOL_MANAGER,
+	VMCALL_DUMP_VMCS_STATE,
+	VMCALL_HIDE_HV_PRESENCE,
+	VMCALL_UNHIDE_HV_PRESENCE
 };
 
 enum invept_type
@@ -24,8 +27,6 @@ enum invept_type
 
 namespace hv
 {
-	PDEVICE_OBJECT AirHvDeviceObject = NULL;
-
 	void broadcast_vmoff(KDPC* Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
 	{
 		UNREFERENCED_PARAMETER(DeferredContext);
@@ -93,6 +94,18 @@ namespace hv
 		else KeGenericCallDpc(broadcast_invept_single_context, NULL);
 	}
 
+	/// <summary>
+	/// Set/Unset presence of hypervisor
+	/// </summary>
+	/// <param name="value"> If false, hypervisor is not visible via cpuid interface, If true, it become visible</param>
+	void hypervisor_visible(bool value)
+	{
+		if (value == true)
+			__vm_call(VMCALL_UNHIDE_HV_PRESENCE, 0, 0, 0);
+		else
+			__vm_call(VMCALL_HIDE_HV_PRESENCE, 0, 0, 0);
+	}
+
 	/// <summary>
 	/// Hook function via ept and invalidate ept entries in tlb
 	/// </summary>
@@ -111,7 +124,6 @@ namespace hv
 		return status;
 	}
 
-
 	/// <summary>
 	/// Hook function via ept and invalidate ept entries in tlb
 	/// </summary>
@@ -136,62 +148,50 @@ namespace hv
 		return __vm_call(VMCALL_TEST, 0, 0, 0);
 	}
 
-	BOOLEAN PerformAllocation() 
+	bool send_irp_perform_allocation()
 	{
-		NTSTATUS Status;
-		KEVENT Event;
-		PIRP Irp;
-		IO_STATUS_BLOCK ioStatus = { 0 };
+		PDEVICE_OBJECT airhv_device_object;
+		NTSTATUS status;
+		KEVENT event;
+		PIRP irp;
+		IO_STATUS_BLOCK io_status = { 0 };
+		UNICODE_STRING airhv_name;
+		PFILE_OBJECT file_object;
 
-		if (AirHvDeviceObject == NULL) 
-		{
-			UNICODE_STRING AirHvName;
-			PFILE_OBJECT FileObject;
-			RtlInitUnicodeString(&AirHvName, L"\\Device\\airhv");
+		RtlInitUnicodeString(&airhv_name, L"\\Device\\airhv");
 
-			Status = IoGetDeviceObjectPointer(&AirHvName, NULL, &FileObject, &AirHvDeviceObject);
+		status = IoGetDeviceObjectPointer(&airhv_name, 0, &file_object, &airhv_device_object);
 
-			if (NT_SUCCESS(Status) == FALSE) 
-			{
-				LogError("Couldn't get hypervisor device object pointer");
-				return FALSE;
-			}
-		}
+		ObReferenceObjectByPointer(airhv_device_object, FILE_ALL_ACCESS, 0, KernelMode);
 
-		KeInitializeEvent(&Event, NotificationEvent, FALSE);
-		__try
-		{
-			Irp = IoBuildDeviceIoControlRequest(IOCTL_POOL_MANAGER_ALLOCATE, AirHvDeviceObject, NULL, NULL, NULL, NULL, FALSE, &Event, &ioStatus);
-		}
-		__except (EXCEPTION_EXECUTE_HANDLER) 
+		// We don't need this so we instantly dereference file object
+		ObDereferenceObject(file_object);
+
+		if (NT_SUCCESS(status) == false)
 		{
-			ASSERT(FALSE);
-			return FALSE;
+			LogError("Couldn't get hypervisor device object pointer");
+			return false;
 		}
 
+		KeInitializeEvent(&event, NotificationEvent, 0);
+		irp = IoBuildDeviceIoControlRequest(IOCTL_POOL_MANAGER_ALLOCATE, airhv_device_object, 0, 0, 0, 0, 0, &event, &io_status);
 
-		if (Irp == NULL)
+		if (irp == NULL)
 		{
 			LogError("Couldn't create Irp");
-			return FALSE;
+			ObDereferenceObject(airhv_device_object);
+			return false;
 		}
 
 		else
 		{
-			Status = IofCallDriver(AirHvDeviceObject, Irp);
+			status = IofCallDriver(airhv_device_object, irp);
 
-			if (Status == STATUS_PENDING)
-			{
-				KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE, NULL);
-				Status = ioStatus.Status;
-			}
+			if (status == STATUS_PENDING)
+				KeWaitForSingleObject(&event, Executive, KernelMode, 0, 0);
 
-			return TRUE;
+			ObDereferenceObject(airhv_device_object);
+			return true;
 		}
 	}
-
-	VOID CloseHandle() 
-	{
-		ObDereferenceObject(AirHvDeviceObject);
-	}
 }

HyperHideDrv/HypervisorGateway.h

@@ -2,17 +2,17 @@
 #include <ntddk.h>
 namespace hv
 {
-	extern PDEVICE_OBJECT AirHvDeviceObject;
-
 	bool hook_function(void* target_address, void* hook_function, void* trampoline, void** origin_function);
 
 	bool hook_function(void* target_address, void* hook_function, void** origin_function);
 
+	void hypervisor_visible(bool value);
+
 	bool test_vmcall();
 
 	bool unhook_all_functions();
 
 	bool unhook_function(unsigned __int64 function_address);
 
-	BOOLEAN PerformAllocation();
+	bool send_irp_perform_allocation();
 }

HyperHideDrv/Ioctl.h

@@ -8,4 +8,5 @@
 #define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x904, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
 #define IOCTL_REMOVE_HIDER_ENTRY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x905, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
 #define IOCTL_PROCESS_STOPPED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x906, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
-#define IOCTL_PROCESS_RESUMED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x907, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
+#define IOCTL_PROCESS_RESUMED CTL_CODE(FILE_DEVICE_UNKNOWN, 0x907, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
+#define IOCTL_SET_HYPERVISOR_VISIBILITY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x908, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)

HyperHideDrv/Log.cpp

@@ -1,3 +1,4 @@
+#define _NO_CRT_STDIO_INLINE
 #include <ntifs.h>
 #include <stdarg.h>
 #include <ntstrsafe.h>