Thread: TitanHide
View Single Post
  #17  
Old 02-05-2014, 08:24
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Hi
very Good and very fast ,,,I still make the test on v006 Lol
anyway.

For (TitanHideTest)
I make very tiny change ,because let this prog go in sycal make my eyes flash .
Quote:
Test: <<<<<<<<
char title[256]="";
sprintf(title, "pid: %d", (int)GetCurrentProcessId());
SetConsoleTitleA(title);
while(1)
{
printf("ProcessDebugFlags: %d\n", CheckProcessDebugFlags());
printf("ProcessDebugPort: %d\n", CheckProcessDebugPort());
printf("ProcessDebugObjectHandle: %d\n", CheckProcessDebugObjectHandle());
printf("NtQueryObject: %d\n", CheckObjectList());
printf("CheckSystemDebugger: %d\n", CheckSystemDebugger());
printf("CheckNtClose: %d\n", CheckNtClose());
//printf("ThreadHideFromDebugger: %d\n", HideFromDebugger());
puts("");
//Sleep(1000);
system("Pause"); <<<<<<
printf("\n"); <<<<<<
goto Test; <<<<<<


By the way I have checked "CheckProcessDebugFlags "

and find something go wrrong in ur x64_dbg (x32)
-CheckProcessDebugFlags come when the debugger try to handle exception which is a trap could be the coder have use it to check if u debug his software or not Like this example :Author: Dejan Lukan with my little tiny changes
Quote:
Test:
BOOL bExceptionHit = FALSE;
__try {
_asm
{
pushfd
or dword ptr [esp], 0x100
popfd
// Set the Trap Flag
// Load value into EFLAGS register
nop
}
}
__except(EXCEPTION_EXECUTE_HANDLER) {
bExceptionHit = TRUE;

// An exception has been raised ¨C
// there is no debugger.
}

if (bExceptionHit == FALSE)
printf("A debugger is present.n");
else
printf("There is no debugger present.n");

/* wait */
getchar();
system("Pause");
goto Test;

return 0;
anyway in olly u can Ignore this exception and make the software handle this exception ,but it ur Deubger x64_dbg (x32) ,I think ur deubgger not see this exception at all and not mention it at command bar and pass it so the the
CheckProcessDebugFlags =1 in ur Deubgger .
Lol alot of lab lab ,sorry for bother u .

anyway my Advice is to not ram this (CheckProcessDebugFlags) in Kernel mode ,let keep it in user mode by the debugger it self ,that my opinion .

Thanks again for ur Good work .
Attached Files
File Type: rar TitanHideTest.rar (9.8 KB, 2 views)
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following 2 Users Gave Reputation+1 to ahmadmansoor For This Useful Post:
mr.exodia (02-05-2014), Zipdecode (02-05-2014)