This toolset is developed like a solution for my reverse engineering and researching tasks. This is a windows driver with a usermode interface which is used for hidding specific environment on VMs, like installed rce programs (ex. procmon, wireshark), vm infrastracture (ex. vmware tools) and etc.
- hide registry keys and values
- hide files and directories
- protect specific processes using ObRegisterCallbacks
- exclude specific processes from hidding and protection features
- usermode interface (lib and cli) for working with driver
and so on
Recommended build environment
- Visual Studio 2013 and above
- Windows Driver Kit 8.1
Following guide explains how to make a release win32 build
- Open Hidden.sln using Visual Studio 2013
- Build Hidden Package project with configurations Release, Win32
- Open build results folder <ProjectDir>\Release
- Disable a digital signature enforcement on a test machine (bcdedit /set TESTSIGNING ON)
- Copy files from <ProjectDir>\Release\Hidden Package to a test machine
- Right mouse click on Hidden.inf and choose Install
- Start a driver (sc start hidden)
A command line tool hiddencli is used for managing a driver. You are able to use it for hiding and unhiding objects, changing a driver state and so on.
To hide a calc.exe try this one
hiddencli /hide file c:\Windows\calc.exe
Want to hide directory? No problems
hiddencli /hide dir "c:\Program Files\VMWare"
hiddencli /hide regkey "HKCU\Software\VMware, Inc."
To get a full help just type