Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   TitanHide (https://forum.exetools.com/showthread.php?t=15569)

mr.exodia 01-26-2014 22:59

TitanHide
 
1 Attachment(s)
Code:

Overview:

TitanHide is a driver intended to hide debuggers from certain processes.
The driver hooks various Nt* kernel functions (using inline hooks at the
moment) and modifies the return values of the original functions.
To hide a process, you must pass a simple structure with a ProcessID and
the hiding option(s) to enable to the driver. The internal API is
designed to add hooks with little effort, which means adding features
is really easy.

Features:

- ProcessDebugFlags (NtQueryInformationProcess)
- ProcessDebugPort (NtQueryInformationProcess)
- ProcessDebugObjectHandle (NtQueryInformationProcess)
- DebugObject (NtQueryObject)
- SystemKernelDebuggerInformation (NtQuerySystemInformation)
- NtClose (STATUS_INVALID_HANDLE exception)
- ThreadHideFromDebugger (NtSetInformationThread)

Test environments:

- Windows 7 x64 (SP1)
- Windows XP x86 (SP3)
- Windows XP x64 (SP1)

Installation:

1) Copy TitanHide.sys to %systemroot%\system32\drivers
2) Start 'loader.exe' (available on the download page)
3) Delete the old service (when present)
4) Install a new service
5) Start driver
6) Use 'TitanHideGUI.exe' to set hide options

NOTE: When on x64, you have to disable PatchGuard and driver signature
      enforcement yourself. Google is your friend :)

Repository:
https://bitbucket.org/mrexodia/titanhide/

Downloads:
https://bitbucket.org/mrexodia/titanhide/downloads

Feel free to report bugs and/or request features.

Greetings,

Mr. eXoDia

ahmadmansoor 01-27-2014 05:04

u r very fast man ......:eek:
I begin feel as the clock has stop here :D .
today I have install win 7.0 x64 on vmw.
Thanks for ur great work

mr.exodia 01-28-2014 00:17

Quote:

Originally Posted by ahmadmansoor (Post 89630)
u r very fast man ......:eek:
I begin feel as the clock has stop here :D .
today I have install win 7.0 x64 on vmw.
Thanks for ur great work

Hehe, you can join in if you like :)

Attached V0002, fixed some bugs with UNICODE_STRING (pointed out by deepzero)

cxj98 01-28-2014 12:48

how can i get your latest build x64dbg with compiled exe?

mr.exodia 01-28-2014 15:05

Quote:

Originally Posted by cxj98 (Post 89640)
how can i get your latest build x64dbg with compiled exe?

Hi, it would be better to ask this in the 'x64_dbg' topic :) But I will upload a dev build (it's not stable though..)

Sigma is currently unavailable, so the dump window works, but still needs some improvements.

Greetings

ferrit.rce 01-29-2014 02:27

Cool :) How works it together with patchguard? SSDT hooking is being wathed there...

mr.exodia 01-29-2014 02:28

Hi,

It doesn't work with patchguard :) and no ssdt hooking aswell :D

Greetings

ferrit.rce 01-29-2014 02:59

I thought you've found the holy grail and it works :) That was the reason why I've designed out the driver based protection from OllyExt. BTW I've made big steps to make my plugin multi-debugger capable. If you make a plugin framework for your debugger then I could make an X64DbgExt ;)

mr.exodia 01-29-2014 03:05

Quote:

Originally Posted by ferrit.rce (Post 89652)
I thought you've found the holy grail and it works :) That was the reason why I've designed out the driver based protection from OllyExt. BTW I've made big steps to make my plugin multi-debugger capable. If you make a plugin framework for your debugger then I could make an X64DbgExt ;)

I figured out how to do SSDT hooking (still with PatchGuard & Driver signing disabled), but it is very unstable, because the addresses are relative. It requires a memory page withing 128MB range of ntoskrnl. This is sometimes possible, but not always unfortunately.

The debugger has a plugin framework, but I don't know if it is good enough to support your needs, could you maybe PM me what kind of stuff you need? I will work on that.

Greetings

mr.exodia 01-31-2014 04:07

Hi everyone,

V0003 is out.

Changelog:
- SSDT hooks instead of inline hooks
- fixed the bug reported by Insid3Code
- many small fixes

Greetings,

Mr. eXoDia

mr.exodia 01-31-2014 05:41

A new hotfix V0004:

- support for different kernel names
- added log file (always in C:\TitanHide.log)

When you find a bug, please include the log file + crash dumps...

Greetings,

Mr. eXoDia

mcp 01-31-2014 05:46

1 Attachment(s)
Had a quick look at the source code. You have a potential infinite loop in this code in hider.cpp

Code:

//simple locking library
static bool locked=false;

static void lock()
{
    while(locked);
    locked=true;
}

if locked is true upon entry, then this is an infinite loop because locked is not declared volatile. An optimizing compiler will thus only fetch memory once, but not repeatedly in the loop.
The disassembly confirms this (see screenshot).

mr.exodia 01-31-2014 05:53

Quote:

Originally Posted by mcp (Post 89675)
Had a quick look at the source code. You have a potential infinite loop in this code in hider.cpp

Code:

//simple locking library
static bool locked=false;

static void lock()
{
    while(locked);
    locked=true;
}

if locked is true upon entry, then this is an infinite loop because locked is not declared volatile. An optimizing compiler will thus only fetch memory once, but not repeatedly in the loop.
The disassembly confirms this (see screenshot).

Yes, you're right :) Will be fixed in the next release.

mr.exodia 02-03-2014 05:05

Released a fixed binary (V0005), thanks to mcp!

mr.exodia 02-04-2014 03:22

Released V0006

Fixed the UNICODE_STRING issue (reported by Insid3Code, thanks!)

Tested on Win7x64 and WinXPx86 (SP3), no freezes, no BSOD (before I indeed got a BSOD on the WinXP machine)

Greetings,

Mr. eXoDia


All times are GMT +8. The time now is 00:55.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX