Invisible Hypervisors: Stealthy Malware Analysis with HyperDbg

HyperDbg is a modern, open-source hypervisor-based debugger supporting both user- and kernel-mode debugging. Operating at the hypervisor level, it bypasses OS debugging APIs and offers stealthy hooks, unlimited simulated debug registers, fine-grained memory monitoring, I/O debugging, and full execution control, enabling analysts to observe malware with far greater reliability than traditional debuggers.

When it comes to debugger stealthiness and sandboxing, environment artifacts can reveal the presence of analysis tools - particularly under nested virtualization. To address this issue, we present HyperEvade, a transparency layer for HyperDbg. HyperEvade intercepts hypervisor-revealing instructions, normalizes timing sources, conceals virtualization-specific identifiers, and emulates native hardware behavior, reducing the observable footprint of the hypervisor.

While perfect transparency remains a future endeavour, HyperEvade significantly raises the bar for stealthy malware analysis. By suppressing common detection vectors, it enables more realistic malware execution and reduces evasion, making HyperDbg a more dependable tool for observing evasive or self-protective malware. This talk covers HyperDbg’s architecture and features, HyperEvade’s design, and practical evaluation results.

Resources:

• HyperDbg repository: https://github.com/HyperDbg/HyperDbg/

• Documentation: https://docs.hyperdbg.org/

• Kernel-mode debugger design: https://research.hyperdbg.org/debugger/kernel-debugger-design/

• Research paper: https://dl.acm.org/doi/abs/10.1145/3548606.3560649