MasterHide
MasterHide copied to clipboard
crvvdev
A x64 Windows Rootkit using SSDT or Hypervisor hook
https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/tools.h#L17 useless assignment
https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/tools.cpp#L117 Bad size for ProbeForRead, code trying to check for sizeof(PUCHAR), but want to read sizeof(IMAGE_DOS_HEADER) `ProbeForRead( pImageBase, sizeof(IMAGE_DOS_HEADER), __alignof( pImageBase ) );`
https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/shadow_ssdt.cpp#L203 "\\Windows\\ApiPort" lenght is 17, not 20 `wcsncmp( L"\\Windows\\ApiPort", ObjName->Name.Buffer, 17 )`
https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/tools.cpp#L32 https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/tools.cpp#L66 More better: ``` wchar_t lpModuleName[ MAX_PATH ]; status = ZwQueryVirtualMemory( NtCurrentProcess(), PsGetProcessSectionBaseAddress( Process ), static_cast(2), lpModuleName, sizeof( lpModuleName ), nullptr ); if ( NT_SUCCESS( status ) ) {...
https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/mh_hooks.cpp#L380 https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/mh_hooks.cpp#L392 https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/mh_hooks.cpp#L423 https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/mh_hooks.cpp#L435 Decreased performance, more correct do like ` Serial [0] != '\0' `
https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/shadow_ssdt.cpp#L387-L400 add \n correct: ``` if ( !kaspersky::unhook_shadow_ssdt_routine( SYSCALL_NTUSERBUILDWNDLIST, oNtUserBuildHwndList ) ) DBGPRINT( "Failed to unhook NtUserBuildHwndList\n" ); if ( !kaspersky::unhook_shadow_ssdt_routine( SYSCALL_NTUSERWNDFROMPOINT, oNtUserWindowFromPoint ) ) DBGPRINT( "Failed to unhook NtUserWindowFromPoint\n"...
https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/mh_hooks.h#L6 https://github.com/crvvdev/MasterHide/blob/3e79de125c690663d88272dcb9855c5ec216293c/MasterHide/mh_hooks.h#L15 correct: ``` // // win32k.sys // static auto SYSCALL_NTUSERFINDWNDEX = 0x106e; static auto SYSCALL_NTUSERWNDFROMPOINT = 0x1014; static auto SYSCALL_NTUSERBUILDWNDLIST = 0x101c; static auto SYSCALL_NTGETFOREGROUNDWND = 0x103c; static auto...
Hello there. I can't overcome the error. I've been working on this for a long time, but I can't find a solution. Can you tell me what I'm doing wrong...
Complete re-code and re-work of MasterHide, providing full multi process anti-anti-debug, protection and monitoring capabilities. The plan is to have a GUI application to control MasterHide, as well as having...
MasterHide failed to compile. When using the VS2019 development environment with the WDK SDK (version 10.0.19041.0), a large number of errors occurred, causing the driver to fail to complete compilation.Most...
